Re: [Samba] net groupmap woes - solved + root in domain admins solved
Hi all, So I read in the Samba docs where in order to map a unix group with a windows group (when using LDAP backend), that unixgroup must exist in the LDAP db even though it already exists in /etc/group. So I added the unix group of root to my LDAP db via ldapadd and using an ldif file with the desired values. I removed the group mapping via net groupmap delete Domain Admins as net groupmap modify didn't work and added the mapping of Domain Admins to root and all is well. I had to unjoin/rejoin the domain so that the root login worked as an Administrator on the XP box but all is well. - Brian On May 27, 2009, at 7:06 PM, Brian Krusic wrote: Hi all, I've scoured the net looking for a solution but to no avail. net groupmap list returns Domain Admins (S-) - Domain Admins I would rather map Domain Admins to my root unix group. net groupmap modify ntgroup=Domain Admins unixgroupreturns type=d returns an error; Could not update group database. If I delete via; net groupmap delete Domain Admins and then net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d I get; adding entry for group Domain Admins failed! Any and I mean any feedback is greatly appreciated. - Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net groupmap woes
Hi all, I've scoured the net looking for a solution but to no avail. net groupmap list returns Domain Admins (S-) - Domain Admins I would rather map Domain Admins to my root unix group. net groupmap modify ntgroup=Domain Admins unixgroupreturns type=d returns an error; Could not update group database. If I delete via; net groupmap delete Domain Admins and then net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d I get; adding entry for group Domain Admins failed! Any and I mean any feedback is greatly appreciated. - Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net groupmap add problems since 3.0.23 version
Hello List, As I didnt receive any answers on my first request regarding the new groupmap mechanism since samba version 3.0.23 I try it once again and more detailed. Situation before upgrade to samba 3.0.28: We run a solaris 9 server with samba 3.0.21 which serves a share named backup to which all domain users belonging to a special active directory group can connect and save their mail db and other data. This runs without any interaction, just net use x: \\servername\sharename. No users exist in /etc/passwd , access is handled only by Active Directory groups and the associated unix group(s). That has been realised via the net groupmap add command and worked perfectly over the years since samba version 3.0.7a ! . Due to security riscs in samba we where forced to upgrade to version 3.0.28 (all the same problems since version 3.0.24) I studied the whats changed logs and samba howto`s and think I ´ve done it right , but I fear I ´ve overlooked something essential. Output from net groupmap list: --- # net groupmap list Domain Users (S-1-5-21-1454471165-527237240-682003330-513) - users sbs_ors (S-1-5-21-1454471165-527237240-682003330-133792) - sbs_ors_ux Domain Guests (S-1-5-21-1454471165-527237240-682003330-514) - nobody Administrators (S-1-5-32-544) - 10 adv (S-1-5-21-1454471165-527237240-682003330-48325) - adv Domain Admins (S-1-5-21-1454471165-527237240-682003330-512) - ntadmin Users (S-1-5-32-545) - 11 output from net groupmap add command: # net groupmap add sid=S-1-5-21-1454471165-527237240-682003330-133792 ntgroup=sbs_ors unixgroup=sbs_ors_ux type=d Successfully added group sbs_ors to the mapping db as a domain group This is a major group with some nested groups and I ´m a member of one , Since version 3.0.7a nested groups are supported , but I ´m not able to connect , all I get is a pop up login window , also net view \\servername fails with access denied. Now my question ; does that configuration is still supported at all , or has it broken due to security riscs ; if not pls tell me how to proceed with new samba version, what did I overlook Best Regards Martin Schreiber Martin Schreiber Siemens IT Solutions and Services GmbH Gudrunstrasse 11 A-1101 Wien Tel: +43(0)51707 47565 Fax: +43(0) 51707 57560 [EMAIL PROTECTED] http://www.siemens.at/it-solutions Siemens IT Solutions and Services GmbH, DVR 1009192, FN 180547k, Handelsgericht Wien, Firmensitz Wien Wichtiger Hinweis: Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. Important Note: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap add
Hi List, We have a pretty complex samba configuration running version 3.0.21 , this worked for about 2 years , but due to security reasons we need to upgrade to latest version 3.0.28. I have no local unix users created on our host all access is regulated via the valid user = @AD+group statement . and the net groupmap add command. This worked great , but seems broken in latest versions since 3.0.23 I checked the latest howtos , but no success , seems that i overlooked some essentials... Now my smb.conf (only the relevant lines) workgroup = WWxxx server string = [EMAIL PROTECTED] security = DOMAIN netbios name = ATWS26QC encrypt passwords = Yes client schannel = no client use spnego = no server signing = auto config file = /usr/local/samba/lib/smb.conf password server = vieg10wa passdb expand explicit = no password level = 1 winbind uid = 10-13 winbind gid = 10-12 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = yes winbind nested groups = yes #the shares [home2] path = /home2 valid users@sbs_ors_ux @sbs_ors read only = no browseable = yes -- output from net groupmap list -- # bin/net groupmap list Administrators (S-1-5-32-544) - 10 sbs_ors (S-1-5-21-3932861455-2822179577-2594212704-125693) - sbs_ors_ux thats the relevant group Users (S-1-5-32-545) - 11 But I cant get it to work , I´m allways asked for a password , but should work seemless , as it does with old samba version Hope theres someone who can give me some hints , like a working smb.conf and or a howto to manage the net groupmap add command in the proper way Best regardsMartin Martin Schreiber Siemens IT Solutions and Services GmbH Gudrunstrasse 11 A-1101 Wien Tel: +43(0)51707 47565 Fax: +43(0) 51707 57560 [EMAIL PROTECTED] http://www.siemens.at/it-solutions Siemens IT Solutions and Services GmbH, DVR 1009192, FN 180547k, Handelsgericht Wien, Firmensitz Wien Wichtiger Hinweis: Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. Important Note: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap -- HELP!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Urs Golla wrote: Hello I still have a problem with the net groupmap add command. If I add a domain group to a lcoal group, the memebers of the domain group should show up as members of the local group. Or am I totaly wrong? Yes. But that is only supported by WInbindd and the winbind nested groups option. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYAz/IR7qMdg1EfYRAj7KAKDnqQ7M3qHuiXJLDUPfHxXt8IwvWwCg6ruD F582h67Ji3d1BO8BEN39zYY= =MctI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap -- HELP!
Hello I still have a problem with the net groupmap add command. If I add a domain group to a lcoal group, the memebers of the domain group should show up as members of the local group. Or am I totaly wrong? cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap -- HELP!
Hi I mean, if i do a net groupmap add mydomaingroup mylocalgroup. what is exactly the result of this? cheers On 6/1/07, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Urs Golla wrote: Hello I still have a problem with the net groupmap add command. If I add a domain group to a lcoal group, the memebers of the domain group should show up as members of the local group. Or am I totaly wrong? Yes. But that is only supported by WInbindd and the winbind nested groups option. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYAz/IR7qMdg1EfYRAj7KAKDnqQ7M3qHuiXJLDUPfHxXt8IwvWwCg6ruD F582h67Ji3d1BO8BEN39zYY= =MctI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap -- HELP!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Urs Golla wrote: Hi I mean, if i do a net groupmap add mydomaingroup mylocalgroup. what is exactly the result of this? That's not valid syntax. run net group for the syntax help text. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYCH+IR7qMdg1EfYRApAoAKCLmGTO4VLGa4N7Ppv9TiT9/7DGPwCg51qO Fn8OmHta0DG8XLz/4MQpLmw= =97FK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap -- HELP!
Usage: net time to view or set time information net lookupto lookup host name or ip address net user to manage users net group to manage groups net sam to edit the local user database directly net lookupto look up various things net groupmap to manage group mappings net join to join a domain net cache to operate on cache tdb file net getlocalsid [NAME]to get the SID for local name net setlocalsid SID to set the local domain SID net setdomainsid SID to set the domain SID on member servers net changesecretpwto change the machine password in the local secrets database only this requires the -f flag as a safety barrier net statusShow server status net usersidlist to get a list of all users with their SIDs net usershare to add, delete and list locally user-modifiable shares net ads command to run ADS commands net rap command to run RAP (pre-RPC) commands net rpc command to run RPC commands Type net help option to get more information on that option Valid targets: choose one (none defaults to localhost) -S or --server=server server name -I or --ipaddress=ipaddr address of target server -w or --workgroup=wg target workgroup or domain Valid miscellaneous options are: -p or --port=port connection port on target -W or --myworkgroup=wgclient workgroup -d or --debuglevel=level debug level (0-10) -n or --myname=name client name -U or --user=name user name -s or --configfile=path pathname of smb.conf file -l or --longDisplay full information -V or --version Print samba version information -P or --machine-passAuthenticate as machine account On 6/1/07, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Urs Golla wrote: Hi I mean, if i do a net groupmap add mydomaingroup mylocalgroup. what is exactly the result of this? That's not valid syntax. run net group for the syntax help text. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYCH+IR7qMdg1EfYRApAoAKCLmGTO4VLGa4N7Ppv9TiT9/7DGPwCg51qO Fn8OmHta0DG8XLz/4MQpLmw= =97FK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Fwd: [Samba] Net groupmap list puzzler
Hi, I think at first you have to do a net groupmap add all the well known Groups. System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-3732367786-856876144-3282938955-513) - -1 Domain Admins (S-1-5-21-3732367786-856876144-3282938955-512) - -1 Power Users (S-1-5-32-547) - -1 Domain Guests (S-1-5-21-3732367786-856876144-3282938955-514) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 This is my example working with suse groupadd ntadmins groupadd domusers net groupmap add ntgroup=“Domain Admins“ unixgroup=ntadmins rid=512 type=domain net groupmap add ntgroup=“Domain Users“ unixgroup=domusers rid=513 type=domain This case go through all groups you need mapping the groups with the right rid. after done this a net groupmap list must be shown this way: Domain Users (S-1-5-21-3732367786-856876144-3282938955-513) - domusers Domain Admins (S-1-5-21-3732367786-856876144-3282938955-512) - ntadmins Domain Guests (S-1-5-21-3732367786-856876144-3282938955-514) - nobody To grant the rights to the group with the rid 512 Domain Admins you gotta do a rpc right grant for this group and set in the global of your smb.conf enable privileges=yes greetings daniel Original-Nachricht Datum: Tue, 20 Feb 2007 13:50:14 -0600 Von: Craig Jackson [EMAIL PROTECTED] An: samba@lists.samba.org CC: Betreff: [Samba] Net groupmap list puzzler Hi Dudes, I have a samba Version 3.0.23d that has successfully joined our Server 2003 ADS domain. # wbinfo -u shows the users # wbinfo -g shows the groups And I can chown/grp directories to NT users groups. However, # net groupmap list only shows Administrators (S-1-5-32-544) - BUILTIN\administrators Users (S-1-5-32-545) - BUILTIN\users So if I try to map groups, this is what happens. # net groupmap modify ntgroup=Domain Admins unixgroup=domadmins # NT Group Domain Admins doesn't exist in mapping DB One other problem. I get permission denied when I try to Modify ACLs. The ext3 file system is mounted with acl and nt acl support = yes is in the share section defined. Please help with a hint. I have Googled and read the Samba Chapter 12/13 on the net command to no avail. Thanks. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Net groupmap list puzzler
Hi Dudes, I have a samba Version 3.0.23d that has successfully joined our Server 2003 ADS domain. # wbinfo -u shows the users # wbinfo -g shows the groups And I can chown/grp directories to NT users groups. However, # net groupmap list only shows Administrators (S-1-5-32-544) - BUILTIN\administrators Users (S-1-5-32-545) - BUILTIN\users So if I try to map groups, this is what happens. # net groupmap modify ntgroup=Domain Admins unixgroup=domadmins # NT Group Domain Admins doesn't exist in mapping DB One other problem. I get permission denied when I try to Modify ACLs. The ext3 file system is mounted with acl and nt acl support = yes is in the share section defined. Please help with a hint. I have Googled and read the Samba Chapter 12/13 on the net command to no avail. Thanks. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap list show no results
Hi Guys I am running FreeBSD 5.4, with version Samba-3-0-23b, and when i run 'net groupmap list', the output is blank. Seems like it's not matching or looking at the local groups that are created by default on the system. i have deleted the group_mapping.tdb in the /var/db/samba directory which gets recreated either when samba is reloaded or when the 'net groupmap list' command is run. I have the domain controller version of samba running at another client with samba version samba-3.0.14a and the same config. Can anybody assist me with this problem. Below is my config: [global] workgroup = SACCAWU server string = Saccawu Directory Server security = user load printers = yes log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam unix password sync = Yes passwd program = /usr/local/sbin/passwdwrap.sh %u passwd chat = *new*password* %n\n *new*password* %n\n *Changed* passwd chat debug = Yes socket options = TCP_NODELAY local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes dns proxy = no add user script = /usr/sbin/pw useradd %u -g users add group script = /usr/sbin/pw groupadd %g add machine script = /usr/sbin/pw adduser %u -g machines -c Machine -d /dev/null -s /dev/null delete user script = /usr/sbin/pw userdel %u delete group script = /usr/sbin/pw groupdel %g username map = /usr/local/etc/smbusers logon script = logon.bat logon path = logon drive = H: logon home = \\%L\%U -- Regards Pyuesh Daya Beginning 2 End Technologies (Pty) Ltd Tel : +27 861 223 223 Fax : +27 11 447 9927 Cell: +27 82 777 9983 E-Mail: [EMAIL PROTECTED] WebSite: http://www.b2e.co.za -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap error
Hi all, I am currently following the example in chapter 2 of the Samba-3 by example book. Everything worked fine unil I start mapping Windows Domain Groups to UNIX groups. When I issue the command 'net groupmap modify ntgroup=Domain Admins unixgroup=root' I get the following error: groupdb/mapping.c:init_group_mapping(134) Failed to open group mapping database groupdb/mapping.c:get_group_map_from_ntname(325) get_group_map_from_ntname I am running Samba in a fresh Fedora Core 4 installation, and I am using the Samba 3.0.20 RPM's from the samba team's website. Could someone please help me, or at least point me to a direction in which to find the problem? Thanks in advance, Jeroen Keiren -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kerie a écrit : Hi all, I am currently following the example in chapter 2 of the Samba-3 by example book. Everything worked fine unil I start mapping Windows Domain Groups to UNIX groups. When I issue the command 'net groupmap modify ntgroup=Domain Admins unixgroup=root' I get the following error: groupdb/mapping.c:init_group_mapping(134) Failed to open group mapping database groupdb/mapping.c:get_group_map_from_ntname(325) get_group_map_from_ntname I am running Samba in a fresh Fedora Core 4 installation, and I am using the Samba 3.0.20 RPM's from the samba team's website. Could someone please help me, or at least point me to a direction in which to find the problem? Thanks in advance, Jeroen Keiren Hi, What is your password backend ? - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDuRcl8tswkE3d0ecRAnsUAJdqrbc4uNrG6YYprEeU4q2CWiQuAJ9EAzKb ultC3NWXtNLYw5TBjHb0Xw== =wghN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap error
Hi, What is your password backend ? My backend is just the default backend (smbpasswd with tdb files) - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDuRcl8tswkE3d0ecRAnsUAJdqrbc4uNrG6YYprEeU4q2CWiQuAJ9EAzKb ultC3NWXtNLYw5TBjHb0Xw== =wghN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kerie a écrit : Hi, What is your password backend ? My backend is just the default backend (smbpasswd with tdb files) - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDuRcl8tswkE3d0ecRAnsUAJdqrbc4uNrG6YYprEeU4q2CWiQuAJ9EAzKb ultC3NWXtNLYw5TBjHb0Xw== =wghN -END PGP SIGNATURE- What is the output of net groumap list ? - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuTf+8tswkE3d0ecRAo1bAJ9Zf+5gP/7GG0FbnKeBJsOPphb5dgCdFgfH 13DKGrTR/A5N4eUkvmmq9ws= =o0fo -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap error
Stéphane Purnelle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kerie a écrit : Hi, What is your password backend ? My backend is just the default backend (smbpasswd with tdb files) - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDuRcl8tswkE3d0ecRAnsUAJdqrbc4uNrG6YYprEeU4q2CWiQuAJ9EAzKb ultC3NWXtNLYw5TBjHb0Xw== =wghN -END PGP SIGNATURE- What is the output of net groumap list ? The output of net groupmap list is identical to the output stated earlier. For your convenience I will repeat it here: [2006/01/02 16:37:02, 0] groupdb/mapping.c:init_group_mapping(134) Failed to open group mapping database [2006/01/02 16:37:02, 0] groupdb/mapping.c:enum_group_mapping(415) failed to initialize group mapping - -- Stéphane Purnelle [EMAIL PROTECTED] Site Web : http://www.linuxplusvalue.be -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDuTf+8tswkE3d0ecRAo1bAJ9Zf+5gP/7GG0FbnKeBJsOPphb5dgCdFgfH 13DKGrTR/A5N4eUkvmmq9ws= =o0fo -END PGP SIGNATURE- 7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap error
The output of net groupmap list is identical to the output stated earlier. For your convenience I will repeat it here: [2006/01/02 16:37:02, 0] groupdb/mapping.c:init_group_mapping(134) Failed to open group mapping database [2006/01/02 16:37:02, 0] groupdb/mapping.c:enum_group_mapping(415) failed to initialize group mapping Does the user you're running net as (should be root) have write access to /var/cache/samba, or wherever the .tdb files are being stored? Also the user running smbd should have write access here as well. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba net groupmap
On Fri, December 2, 2005 2:48 am, Stefan Sowa said: Hello List, on a windows-pc are files with an EURO-Sign included in the filenames. This is working between all XP and 2000 Clients. But if i try to access such a file from a linux-box, I cannot read this files. I switched to the german charset with EURO Sign but no success. Then i tried the cifs instead of smbfs. But the same effect. Switching to UTF-8 doesn't work too. Example: The wintEUROSIGNuro.txt file was created on a WindowsXP Workstation. All other files are created from the Linuxbox with writeaccess to the WindowsXP PC. mount -t cifs //192.168.9.115/Xchange /mnt/test -o codepage=cp850,iocharset=iso8859-15,unixcharset=iso8859-15 [EMAIL PROTECTED] ]# ls -lah /mnt/test/EURO insgesamt 2,5K drwxrwxrwx 1 root root 0 2005-12-01 16:30 . drwxrwxrwx 1 root root 0 2005-12-01 14:26 .. -rwxrwSrwt 1 root root 7 2005-12-01 09:14 [EMAIL PROTECTED] (linux) -rwxrwSrwt 1 root root 7 2005-12-01 10:09 Turo(linux) -rwxrwSrwt 1 root root 0 2005-12-01 14:37 Ümläute (linux) -rwxrwSrwt 1 root root 7 2005-12-01 09:40 uro (linux) -rwxrwSrwt 1 root root 23 2005-12-01 14:26 wint?uro.txt (win) 1. [EMAIL PROTECTED] ]# ls -lah /mnt/test/EURO/wint\?uro.txt -rwxrwSrwt 1 root root 23 2005-12-01 14:26 /mnt/test/EURO/wint?uro.txt (seems to work) Now with arrow-up from the history: 2. [EMAIL PROTECTED] ]# ls -lah /mnt/test/EURO/wint\?uro.txt ls: /mnt/test/EURO/wint?uro.txt: Datei oder Verzeichnis nicht gefunden (no such file or directory) 3. [EMAIL PROTECTED] ]# cat /mnt/test/EURO/wint\?uro.txt cat: /mnt/test/EURO/wint?uro.txt: Datei oder Verzeichnis nicht gefunden (no such file or directory) NGREP Analysis: --- I don't now what to do. So i ngreped the stuff: 1. the first ls (seems to work) SMB2.c..B./\.E.U.R.O.\.w.i.n.t.\.?.u.r.o...t.x.t... = the strange ? sign gets escaped. It seems to work. 2. the seconds ls SMB2.d...d..,.,.B.-\.E.U.R.O.\.w.i.n.t.?.u.r.o...t.x.t... 3. cat .h...i...[EMAIL PROTECTED]'..\.E.U.R.O.\.w.i.n.t.?.u.r.o...t.x.t... What can I do? No matter if i cannot see the EURO Sign. But I have to backup this files. Windows is allowing these characters. regards Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba when mapping nt groups to unixgroups must the users on the linux system be a member of the group to read files from the system? i am talking particularly about the domain users group. or must it just be a valade group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap list error
Hi all I have installed samba 3 and made pdc. i had added root to Domain admins, and a group called sambaclients to Domain users. i had changed the hostname of the system, now when i give the f following command , net groupmap list | sort. i am seeing 2 Domain Admins, Domain Groups, System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3091284392-2213253635-2044042662-514) - nobody Domain Admins (S-1-5-21-3091284392-2213253635-2044042662-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3091284392-2213253635-2044042662-513) - sambaclients Domain Users (S-1-5-21-3752786733-469682067-4035343919-513) - -1 Domain Admins (S-1-5-21-3752786733-469682067-4035343919-512) - -1 Domain Guests (S-1-5-21-3752786733-469682067-4035343919-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Can i delete 1 Domain Admins, Domain Groups, .. please suggest.. Regards Niranjan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list error
On Mon, 2005-11-21 at 20:53 +0530, mallapadi niranjan wrote: Hi all I have installed samba 3 and made pdc. i had added root to Domain admins, and a group called sambaclients to Domain users. i had changed the hostname of the system, now when i give the f following command , net groupmap list | sort. i am seeing 2 Domain Admins, Domain Groups, System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3091284392-2213253635-2044042662-514) - nobody Domain Admins (S-1-5-21-3091284392-2213253635-2044042662-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3091284392-2213253635-2044042662-513) - sambaclients Domain Users (S-1-5-21-3752786733-469682067-4035343919-513) - -1 Domain Admins (S-1-5-21-3752786733-469682067-4035343919-512) - -1 Domain Guests (S-1-5-21-3752786733-469682067-4035343919-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Can i delete 1 Domain Admins, Domain Groups, .. please suggest.. Probably - tdb or ldap passdb? I am presuming that you don't want the two SID's present. What do you get from 'net getlocalsid' ? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list error
On Monday 21 November 2005 08:23, mallapadi niranjan wrote: Hi all I have installed samba 3 and made pdc. i had added root to Domain admins, and a group called sambaclients to Domain users. i had changed the hostname of the system, now when i give the f following command , net groupmap list | sort. i am seeing 2 Domain Admins, Domain Groups, System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3091284392-2213253635-2044042662-514) - nobody Domain Admins (S-1-5-21-3091284392-2213253635-2044042662-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3091284392-2213253635-2044042662-513) - sambaclients Domain Users (S-1-5-21-3752786733-469682067-4035343919-513) - -1 Domain Admins (S-1-5-21-3752786733-469682067-4035343919-512) - -1 Domain Guests (S-1-5-21-3752786733-469682067-4035343919-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Can i delete 1 Domain Admins, Domain Groups, .. please suggest.. I presume you are not using an LDAP passdb backend. Execute net groupmap cleanup - that should remove the rouge SIDs. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list error
Hello List, [EMAIL PROTECTED] schrieb am 21.11.2005 17:03:54: On Monday 21 November 2005 08:23, mallapadi niranjan wrote: Hi all I have installed samba 3 and made pdc. i had added root to Domain admins, and a group called sambaclients to Domain users. i had changed the hostname of the system, now when i give the f following command , net groupmap list | sort. i am seeing 2 Domain Admins, Domain Groups, [...] Can i delete 1 Domain Admins, Domain Groups, .. please suggest.. I presume you are not using an LDAP passdb backend. Execute net groupmap cleanup - that should remove the rouge SIDs. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I've made a copy of the file group_mapping.tdb and deleted the original file. Then I have seen the standard groups which were mapped to -1 (no group) and mapped them to the unix groups they were mapped before. After that I have seen that there is net groupmap cleanup. Is this the better way to cleanup the groupmapping? Do I have to stop the daemons (nmbd and smbd) before and start them after? We use tdbsam as passdb backend. Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list error
On Monday 21 November 2005 09:33, Michael Billerbeck wrote: Can i delete 1 Domain Admins, Domain Groups, .. please suggest.. I presume you are not using an LDAP passdb backend. Execute net groupmap cleanup - that should remove the rouge SIDs. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I've made a copy of the file group_mapping.tdb and deleted the original file. Then I have seen the standard groups which were mapped to -1 (no group) and mapped them to the unix groups they were mapped before. After that I have seen that there is net groupmap cleanup. Is this the better way to cleanup the groupmapping? Yes, only because it saves you from having to re-create the mappings. Do I have to stop the daemons (nmbd and smbd) before and start them after? We use tdbsam as passdb backend. No. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap question
Hi, I currently have setup Samba 3.0.10-1.4E on a Centos 4 (RH4 clone) Linux Server. I have setup Samba as a PDC. I have PC clients with Win98, 2000 and XP. I have setup my groupmaps according to the following how-to: http://us1.samba.org/samba/docs/man/Samba-Guide/small.html I would like to know what is the net groupmap command that can make my Domain users to be Local admin of their PCs. I know we can do it locally on the PC but I would like to avoid entering that info manually at each stations. Do I need to use roaming profiles ? Or it's not necessary or it doesn't have anything to do with my problem. Thanks JF Leblond jfleblond _AT_ videotron.ca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap list
I have installed samba 3.0.14a When I run net groupmap list receive this output: [2005/06/26 11:41:17, 0] param/loadparm.c:map_parameter(2465) Unknown parameter encountered: workgrouup [2005/06/26 11:41:17, 0] param/loadparm.c:lp_do_parameter(3153) Ignoring unknown parameter workgrouup [2005/06/26 11:41:17, 0] param/loadparm.c:map_parameter(2465) Unknown parameter encountered: logon driver [2005/06/26 11:41:17, 0] param/loadparm.c:lp_do_parameter(3153) Ignoring unknown parameter logon driver System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-2754292495-3167660160-666997666-513) - -1 Domain Admins (S-1-5-21-2754292495-3167660160-666997666-512) - root Domain Guests (S-1-5-21-2754292495-3167660160-666997666-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 I thing that the first part of the record are not correct. What can I do to correct those? Thank Andrea -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list
Check ALL your spelling. I think workgrouup should be spelled as a workgroup. Few more mistakes like this and nothing can work. On 6/26/05, Andrea Bencini [EMAIL PROTECTED] wrote: I have installed samba 3.0.14a When I run net groupmap list receive this output: [2005/06/26 11:41:17, 0] param/loadparm.c:map_parameter(2465) Unknown parameter encountered: workgrouup [2005/06/26 11:41:17, 0] param/loadparm.c:lp_do_parameter(3153) Ignoring unknown parameter workgrouup [2005/06/26 11:41:17, 0] param/loadparm.c:map_parameter(2465) Unknown parameter encountered: logon driver [2005/06/26 11:41:17, 0] param/loadparm.c:lp_do_parameter(3153) Ignoring unknown parameter logon driver System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-2754292495-3167660160-666997666-513) - -1 Domain Admins (S-1-5-21-2754292495-3167660160-666997666-512) - root Domain Guests (S-1-5-21-2754292495-3167660160-666997666-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 I thing that the first part of the record are not correct. What can I do to correct those? Thank Andrea -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- --- Advocatus Diaboli - someone should do this job. some kind of Molot some kind of monster ;) jid:[EMAIL PROTECTED] alt mailto:[EMAIL PROTECTED] gg:4588787 --- -- -- --- Advocatus Diaboli - someone should do this job. some kind of Molot some kind of monster ;) jid:[EMAIL PROTECTED] alt mailto:[EMAIL PROTECTED] gg:4588787 --- -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap add/modify script fails
I am following the installation described in Chapter 3 of Samba By Example (http://samba.org/samba/docs/man/Samba-Guide/secure.html) and at Step 5 i run into the following problem: I copied the example script to /etc/samba/initGrps.sh and customized the group names, then brandy:/etc/samba# chmod 755 initGrps.sh brandy:/etc/samba# ./initGrps.sh groupadd: group akkaras exists groupadd: group aksteinhilber exists groupadd: group akstark exists Updated mapping entry for Domain Admins Updated mapping entry for Domain Users Updated mapping entry for Domain Guests No rid or sid specified, choosing algorithmic mapping adding entry for group AK Karas failed! No rid or sid specified, choosing algorithmic mapping adding entry for group AK Steinhilber failed! No rid or sid specified, choosing algorithmic mapping adding entry for group AK Stark failed! Then after RTFMing I tried brandy:/etc/samba# net groupmap list | sort Account Operators (S-1-5-32-548) - -1 Administrators (S-1-5-32-544) - -1 AK Karas (S-1-5-21-1348455924-348699262-4184906134-3003) - akkaras AK Stark (S-1-5-21-1348455924-348699262-4184906134-3007) - akstark AK Steinhilber (S-1-5-21-1348455924-348699262-4184906134-3005) - aksteinhilber Backup Operators (S-1-5-32-551) - -1 Domain Admins (S-1-5-21-1348455924-348699262-4184906134-512) - root Domain Admins (S-1-5-21-1972254233-2250998545-1379234658-512) - -1 Domain Guests (S-1-5-21-1348455924-348699262-4184906134-514) - nogroup Domain Guests (S-1-5-21-1972254233-2250998545-1379234658-514) - -1 Domain Users (S-1-5-21-1348455924-348699262-4184906134-513) - -1 Domain Users (S-1-5-21-1972254233-2250998545-1379234658-513) - users Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Replicators (S-1-5-32-552) - -1 System Operators (S-1-5-32-549) - -1 So, it appears (atleast to me) that the mapping has worked, but what is failing then? Thanks in advance!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap add/modify script fails
On Thursday 09 June 2005 09:38, Jeremy wrote: I am following the installation described in Chapter 3 of Samba By Example (http://samba.org/samba/docs/man/Samba-Guide/secure.html) and at Step 5 i run into the following problem: I copied the example script to /etc/samba/initGrps.sh and customized the group names, then brandy:/etc/samba# chmod 755 initGrps.sh brandy:/etc/samba# ./initGrps.sh groupadd: group akkaras exists groupadd: group aksteinhilber exists groupadd: group akstark exists Updated mapping entry for Domain Admins Updated mapping entry for Domain Users Updated mapping entry for Domain Guests No rid or sid specified, choosing algorithmic mapping adding entry for group AK Karas failed! No rid or sid specified, choosing algorithmic mapping adding entry for group AK Steinhilber failed! No rid or sid specified, choosing algorithmic mapping adding entry for group AK Stark failed! How often have you run the initGrps.sh script? Then after RTFMing I tried brandy:/etc/samba# net groupmap list | sort Account Operators (S-1-5-32-548) - -1 Administrators (S-1-5-32-544) - -1 AK Karas (S-1-5-21-1348455924-348699262-4184906134-3003) - akkaras AK Stark (S-1-5-21-1348455924-348699262-4184906134-3007) - akstark AK Steinhilber (S-1-5-21-1348455924-348699262-4184906134-3005) - aksteinhilber Backup Operators (S-1-5-32-551) - -1 Domain Admins (S-1-5-21-1348455924-348699262-4184906134-512) - root Domain Admins (S-1-5-21-1972254233-2250998545-1379234658-512) - -1 Domain Guests (S-1-5-21-1348455924-348699262-4184906134-514) - nogroup Domain Guests (S-1-5-21-1972254233-2250998545-1379234658-514) - -1 Domain Users (S-1-5-21-1348455924-348699262-4184906134-513) - -1 Domain Users (S-1-5-21-1972254233-2250998545-1379234658-513) - users Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Replicators (S-1-5-32-552) - -1 System Operators (S-1-5-32-549) - -1 Your Samba SID has changed for one of the reasons documented in chapter 8 of the Samba-3 By Example book (current on-line version). You have multiple entries for Domain Users, Domain Groups, Domain Guests. Get rid of them by executing: net groupmap cleanup That should leave things in a sane state. - John T. So, it appears (atleast to me) that the mapping has worked, but what is failing then? Thanks in advance!!! -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap problem
Hi list, I'm having problems removing entries using net groupmap. When I use net groupmap ntgroup=Domain Guests I see a message saying it has been successfully removed Domain Guests from the mapping db. The problem is I have multiple Domain Guests with the same sid. Can someone please tell me how to remove duplicates?. I've also tried net groupmap delete sid=S-1-5-21-705938202-4238141491-2786779978 but I get a message saying Failed to removing group S-1-5-21-705938202-4238141491-2786779978 from the mapping db!. Also tried net groupmap cleanup but that doesn't work either. If there is no way of removing the entries using commands can I just delete the database? TIA Phil System Operators (S-1-5-32-549) - -1 Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) - nobody Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) - wheel Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) - bin Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) - lp Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) - -1 System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) - daemon Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) - -1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap problem SOLVED!
I was doing something silly. I was useing S-1-5-21-705938202-4238141491-2786779978 instead of S-1-5-21-705938202-4238141491-2786779978-1199. Phil. Phil Dawson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 18/03/2005 08:31 To samba@lists.samba.org cc Subject [Samba] net groupmap problem Hi list, I'm having problems removing entries using net groupmap. When I use net groupmap ntgroup=Domain Guests I see a message saying it has been successfully removed Domain Guests from the mapping db. The problem is I have multiple Domain Guests with the same sid. Can someone please tell me how to remove duplicates?. I've also tried net groupmap delete sid=S-1-5-21-705938202-4238141491-2786779978 but I get a message saying Failed to removing group S-1-5-21-705938202-4238141491-2786779978 from the mapping db!. Also tried net groupmap cleanup but that doesn't work either. If there is no way of removing the entries using commands can I just delete the database? TIA Phil System Operators (S-1-5-32-549) - -1 Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) - nobody Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) - wheel Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) - bin Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) - lp Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) - -1 System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) - daemon Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) - -1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap add questions
ok, just to make it clear ... 1) what does net groupmap add do ? 2) can it be used with ldapsam ? 3) if I have local unix group and I want to create new domain group mapped to that unix group... do I have to explicity specify SID ? can anyone give me an example of correct usage net groupmap add ? 4) what type (local|domain|builtin) should I use in such case ? 5) how does it work ? by calling add group script command or not ? Cheers, Ilia Chipitsine -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap failures
OK all, really going nuts here. wbinfo -u/-g works, pulls up the W2k users/groups. Net ads join works just fine. Created the krb5.keytab file on the w2k machine and kutil copy this to /etc/krb5.keytab. kinit administrator works fine. However, all net groupmap commands fail. Here's an example: fskkweb# net groupmap add unixgroup=admin ntgroup=Domain Admins No rid or sid specified, choosing algorithmic mapping [2004/09/29 08:42:46, 0] lib/smbldap.c:smbldap_open_connection(623) Failed to issue the StartTLS instruction: Decoding error [2004/09/29 08:42:47, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 20D6: SvcErr: DSID-03100684, problem 5012 (DIR_ERROR), data 0 (Operations error) Snip-error burps out for quite a number of lines [2004/09/29 08:42:47, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 20D6: SvcErr: DSID-03100684, problem 5012 (DIR_ERROR), data 0 (Operations error) adding entry for group Domain Admins failed! fskkweb# I'm assuming there is some problem with openldap client. ldapsearch burps out this: fskkweb# ldapsearch -v -D CN=Administrator,CN=Users,DC=fsklaw,DC=net ldap_initialize( DEFAULT ) ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 Any body have any clues...I would love to get this working. If you need smb.conf, krb5.conf, nsswitch files etc. please ask. TMS III -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Net groupmap fails
Samba 3.0.6 installed. Net join ads worked perfectly. Net groupmap add fails as follows: lildude# net groupmap add unixgroup=admin ntgroup=Administrators [2004/08/26 09:28:19, 0] param/loadparm.c:map_parameter(2449) Unknown parameter encountered: default_keytab_name [2004/08/26 09:28:19, 0] param/loadparm.c:lp_do_parameter(3139) Ignoring unknown parameter default_keytab_name No rid or sid specified, choosing algorithmic mapping [2004/08/26 09:28:19, 0] lib/smbldap.c:smbldap_connect_system(796) failed to bind to server with dn= Error: Can't contact LDAP server (unknown) [2004/08/26 09:28:35, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Timed out) [2004/08/26 09:28:51, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Timed out) [2004/08/26 09:29:07, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Timed out) [2004/08/26 09:29:23, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1873) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Timed out) ^C lildude# Any pointers would be most appreciated. Thanks TMS III -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap - gidNumber=4294967295
hello, i still trying to deal with groups in a samba-pdc i am now closer to my problem: the net groupmap cant find the group about a wrong groupid. i found similar errormessages by googling, but no answer, which brings me to understand what exactly happens. it follows a snipp from smb.conf, a snipp from the debug-info i am getting. my ldap has ous people, groups and Idmap samba is 3.0.4 system is solaris 8 smb.conf: passdb backend = ldapsam:ldaps://localhost domain logons = yes ldap admin dn = cn=Manager,dc=agrl,dc=ethz ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ldap suffix = dc=agrl,dc=ethz debuginfo: ./net groupmap add -d 5 ntgroup=Domain Admins unixgroup=domadm \ type=d rid=512 [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [dc=agrl,dc=ethz], filter = [((objectClass=sambaIdma pEntry)(gidNumber=4294967295))], scope = [2] [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [ou=groups,dc=agrl,dc=ethz], filter = [((objectClass =sambaGroupMapping)(gidNumber=4294967295))], scope = [2] [2004/08/19 10:43:52, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1898) ldapsam_getgroup: Did not find group [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [ou=groups,dc=agrl,dc=ethz], filter = [((|(objectCla ss=posixGroup)(objectclass=sambaIdmapEntry))(gidNumber=4294967295))], scope = [ 2] [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [dc=agrl,dc=ethz], filter = [((objectClass=sambaIdma pEntry)(gidNumber=4294967295))], scope = [2] [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [ou=groups,dc=agrl,dc=ethz], filter = [((objectClass =sambaGroupMapping)(gidNumber=55001))], scope = [2] [2004/08/19 10:43:52, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1898) ldapsam_getgroup: Did not find group [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [ou=groups,dc=agrl,dc=ethz], filter = [((|(objectCla ss=posixGroup)(objectclass=sambaIdmapEntry))(gidNumber=55001))], scope = [2] [2004/08/19 10:43:52, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base = [dc=agrl,dc=ethz], filter = [((objectClass=sambaIdma pEntry)(gidNumber=55001))], scope = [2] adding entry for group Domain Admins failed! [2004/08/19 10:43:52, 2] utils/net.c:main(792) return code = -1 -- Andreas Burger Eidgenoessische Technische Hochschule Zuerich Departement AgrL ISG LFW A2 8092 Zuerich 632 68 54 [EMAIL PROTECTED] _ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap list errors
Hello, Weeks ago i mapped my nt groups to posix groups, all works fine. My samba PDC works fine today but i cant see my group list definition anymore... SAMBA 3.0.4 (my own compilation) samba-client-3.0.4-0.5.1 rpm RH 9.0 (2.6.4) # net groupmap list [2004/07/05 15:30:14, 0] param/loadparm.c:map_parameter(2423) Unknown parameter encountered: client code page [2004/07/05 15:30:14, 0] param/loadparm.c:lp_do_parameter(3119) Ignoring unknown parameter client code page [2004/07/05 15:30:14, 0] param/loadparm.c:map_parameter(2423) Unknown parameter encountered: character set [2004/07/05 15:30:14, 0] param/loadparm.c:lp_do_parameter(3119) Ignoring unknown parameter character set [2004/07/05 15:30:14, 0] param/loadparm.c:map_parameter(2423) Unknown parameter encountered: domain admin group [2004/07/05 15:30:14, 0] param/loadparm.c:lp_do_parameter(3119) Ignoring unknown parameter domain admin group [2004/07/05 15:30:14, 0] param/loadparm.c:map_parameter(2423) Unknown parameter encountered: domain admin users [2004/07/05 15:30:14, 0] param/loadparm.c:lp_do_parameter(3119) Ignoring unknown parameter domain admin users System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Admins (S-1-5-21-3088386051-2538255017-882613707-512) - -1 Domain Guests (S-1-5-21-3088386051-2538255017-882613707-514) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3088386051-2538255017-882613707-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 What is wrong in my system env? Thank You, Juliano. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba net groupmap
I followed the howto on samba with the net groupmap section but i cant get out. the problem is that i cant give a user admin rights so its a 'normal' user under xp. i tried to do the net groupmap and modified the stuff System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Admins (S-1-5-21-585678821-3840919660-2487258650-512) - wheel Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-585678821-3840919660-2487258650-514) - nobody Domain Users (S-1-5-21-585678821-3840919660-2487258650-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 what do i wrong? when i use samba 2.2 and add a group to the domain admin group it does work. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba net groupmap
Quoting nasher [EMAIL PROTECTED]: I followed the howto on samba with the net groupmap section but i cant get out. the problem is that i cant give a user admin rights so its a 'normal' user under xp. i tried to do the net groupmap and modified the stuff System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Admins (S-1-5-21-585678821-3840919660-2487258650-512) - wheel Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-585678821-3840919660-2487258650-514) - nobody Domain Users (S-1-5-21-585678821-3840919660-2487258650-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 what do i wrong? when i use samba 2.2 and add a group to the domain admin group it does work. oh damn i found the problem i need to use the primary group isnt there a way when an user is added to more groups like users,wheel and when this one is connecting, the highest group counts? so the user is in this case , admin? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Net groupmap Question.
Samba users - On redhat linux machine, I'm unable to map unix groups to nt groups. The net groupmap command returns no such object. The net groupmap list returns an empty list. I'm using ldapsam backend. It seems that the nt groups must added to the ldap directory first for this to work. This workstation is just a workgroup server. How does one add groups to the ldapsam backend? Via ldif file? Any links on this would be appreciated. Thanks Jay -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap list showing domain groups 3-4 times
Samba 3.0.2a When I run net groupmap list, I am seeing the domain groups 3-4 times in the list. Is this normal? If not, how Do i fix it?. System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-1627512061-3979602771-3638141843-513) - -1 Domain Guests (S-1-5-21-2115173702-1382115886-4053946157-514) - -1 Domain Admins (S-1-5-21-2115173702-1382115886-4053946157-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3094946941-1063016343-518249709-513) - -1 Domain Admins (S-1-5-21-3094946941-1063016343-518249709-512) - -1 Domain Admins (S-1-5-21-1627512061-3979602771-3638141843-512) - -1 Domain Guests (S-1-5-21-3094946941-1063016343-518249709-514) - -1 Domain Users (S-1-5-21-1565338132-3089613125-211223302-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Domain Guests (S-1-5-21-1627512061-3979602771-3638141843-514) - -1 Domain Users (S-1-5-21-2115173702-1382115886-4053946157-513) - -1 Domain Admins (S-1-5-21-1565338132-3089613125-211223302-512) - -1 Domain Guests (S-1-5-21-1565338132-3089613125-211223302-514) - -1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list showing domain groups 3-4 times
Mark wrote: Samba 3.0.2a When I run net groupmap list, I am seeing the domain groups 3-4 times in the list. Is this normal? If not, how Do i fix it?. I managed to fix this by stopping Samba, deleting /var/cache/samba/* and the /etc/samba/secrets.tdb and then starting Samba again. Now my question is: if I add a linux group to Users, how would I delete this accounting group if I needed to in the future? Users (S-1-5-32-545) - accounting This is what started the whole mess.. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap problems
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote: Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? Speaking of which, I'm having trouble with that command too (samba-3.0.2a, running on Red Hat 6.x Linux with some new bits grafted into it). I started by deleting group_mapping.tdb and starting the server. # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 Now, I want to map Domain Users to my local users group and keep the same RID: [root migration]# net groupmap add rid=513 unixgroup=users type=domain ntgroup='Domain Users' adding entry for group Domain Users failed! Well, that's a helpful error message. What's going on here? I've noticed that I can do this without specifying the RID: # net groupmap add unixgroup=users type=domain ntgroup='Domain Users' No rid or sid specified, choosing algorithmic mapping Successully added group Domain Users to the mapping db But now, there are TWO entries in the map for Domain Users: # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-1201) - users Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 And running rpcclient against localhost reports that Domain Users is RID 1201, not 513. Other experiments show that there will always be an entry for Domain Users with rid 513 pointing to -1, even when I explicitly try to delete it. -- Ed -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap problems
On Mon, 15 Mar 2004, Ed Ravin wrote: On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote: Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? Speaking of which, I'm having trouble with that command too (samba-3.0.2a, running on Red Hat 6.x Linux with some new bits grafted into it). I started by deleting group_mapping.tdb and starting the server. # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 Now, I want to map Domain Users to my local users group and keep the same RID: [root migration]# net groupmap add rid=513 unixgroup=users type=domain ntgroup='Domain Users' adding entry for group Domain Users failed! No way! Try the following: net groupmap modify ntgroup=Domain Users unixgroup=users Well, that's a helpful error message. What's going on here? I've noticed that I can do this without specifying the RID: # net groupmap add unixgroup=users type=domain ntgroup='Domain Users' No rid or sid specified, choosing algorithmic mapping Successully added group Domain Users to the mapping db But now, there are TWO entries in the map for Domain Users: # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-1201) - users Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 And running rpcclient against localhost reports that Domain Users is RID 1201, not 513. net groupmap delete ntgroup=Domain Users will get rid of the entry you added. Other experiments show that there will always be an entry for Domain Users with rid 513 pointing to -1, even when I explicitly try to delete it. Maybe you have could find what you are looking for in the Samba-HOWTO-Collection.pdf. See: http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap modify failes
Hi, i am failing to map ldap groups to system groups i tried following Type net help option to get more information on that option Valid targets: choose one (none defaults to localhost) -S or --server=server server name -I or --ipaddress=ipaddr address of target server -w or --workgroup=wg target workgroup or domain Valid miscellaneous options are: -p or --port=port connection port on target -W or --myworkgroup=wgclient workgroup -d or --debuglevel=level debug level (0-10) -n or --myname=name client name -U or --user=name user name -s or --configfile=path pathname of smb.conf file -l or --longDisplay full information -V or --version Print samba version information -P or --machine-passAuthenticate as machine account xppc:/etc/samba # net groupmap add rid=512 ntgroup=Domain Admins unixgroup=root adding entry for group Domain Admins failed! xppc:/etc/samba # net groupmap modify rid=512 ntgroup=Domain Admins unixgroup=root Bad option: rid=512 xppc:/etc/samba # net groupmap modify Usage: net groupmap modify {ntgroup=string|sid=SID} [comment=string] [unixgroup=string] [type=domain|local] xppc:/etc/samba # net groupmap modify xppc:/etc/samba # net groupmap list Domain Admins (S-1-5-21-316418144-728220878-2830442550-512) - Domain Admins Domain Users (S-1-5-21-316418144-728220878-2830442550-513) - Domain Users Domain Guests (S-1-5-21-316418144-728220878-2830442550-514) - Domain Guests Administrators (S-1-5-21-316418144-728220878-2830442550-544) - Administrators users (S-1-5-21-316418144-728220878-2830442550-545) - Users Guests (S-1-5-21-316418144-728220878-2830442550-546) - Guests Power Users (S-1-5-21-316418144-728220878-2830442550-547) - Power Users Account Operators (S-1-5-21-316418144-728220878-2830442550-548) - Account Operators Server Operators (S-1-5-21-316418144-728220878-2830442550-549) - Server Operators Print Operators (S-1-5-21-316418144-728220878-2830442550-550) - Print Operators Backup Operators (S-1-5-21-316418144-728220878-2830442550-551) - Backup Operators Replicator (S-1-5-21-316418144-728220878-2830442550-552) - Replicator Domain Computers (S-1-5-21-316418144-728220878-2830442550-553) - Domain Computers xppc:/etc/samba # net groupmap modify ntgroup=Domain Admins|sid=S-1-5-21-316418144-728220878-2830442550-512 unixgroup=root NT Group Domain Admins|sid=S-1-5-21-316418144-728220878-2830442550-512 doesn't exist in mapping DB xppc:/etc/samba # net groupmap modify sid=S-1-5-21-316418144-728220878-2830442550-512 unixgroup=root [2004/02/18 02:44:40, 0] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2015) ldapsam_update_group_mapping_entry: No group to modify! Could not update group database I see that i am a newbie with that stuff, after all this works with smbpasswd backend my problem is also if i want set permissions on a folder with the win client with advanced button i cant add another groupi have no log that give me some answers is it not possible to give permissions to more than one group or change the group, ich my smbpasswd pdc this work the win failure code says you dont have permissions can someone enlight me ? Best Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Secondary Groups with ldapsam WAS: Re: [Samba] net groupmap / domain admins problem
Hi if have done furthes testing on this issue. Unix name resoltion seems to work (all groups are in ldap) [EMAIL PROTECTED] sporer]$ getent group | grep management managementgroup:x:1001:management,root,haehnle,sporer,sporers [EMAIL PROTECTED] sporer]$ getent group | grep sensodrivgroup [EMAIL PROTECTED] sporer]$ getent group | grep sensodrive sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root [EMAIL PROTECTED] sporer]$ id -a management uid=1008(management) gid=1001(managementgroup) Gruppen=1001(managementgroup) [EMAIL PROTECTED] sporer]$ id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup),1002(test1) If I add valid users = +managementgroup,+sensodrivegroup to a share user management and user sporer can connect (primary groups are management and sporer) if I remove +sensodrivegroup user sporer can't connect and vice versa. A level 10 debug shows in the case sporer connects (fails) sys_getgrouplist: user [sporer] [2004/01/09 12:05:18, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist(): disabled winbindd for group lookup [user == sporer] [2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1000 Primary group is 1000 and contains 1 supplementary groups Group[ 0]: 1000 [2004/01/09 12:05:18, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/01/09 12:05:18, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/01/09 12:05:18, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/01/09 12:05:18, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/01/09 12:05:18, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=1000))] [2004/01/09 12:05:18, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680) init_group_from_ldap: Entry found for group: 1000 [2004/01/09 12:05:18, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/01/09 12:05:18, 10] passdb/passdb.c:local_gid_to_sid(1228) local_gid_to_sid: gid (1000) - SID S-1-5-21-3723159834-3326906825-3408399175-3001. [2004/01/09 12:05:18, 10] passdb/lookup_sid.c:gid_to_sid(374) gid_to_sid: local 1000 - S-1-5-21-3723159834-3326906825-3408399175-3001 [2004/01/09 12:05:18, 10] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3000 contains 5 SIDs SID[ 0]: S-1-5-21-3723159834-3326906825-3408399175-3000 SID[ 1]: S-1-5-21-3723159834-3326906825-3408399175-3001 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 ... In the case management connects (successfully) 2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(113) sys_getgrouplist: user [management] [2004/01/09 12:08:36, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist(): disabled winbindd for group lookup [user == management] [2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1008 Primary group is 1001 and contains 1 supplementary groups Group[ 0]: 1001 [2004/01/09 12:08:36, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/01/09 12:08:36, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/01/09 12:08:36, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/01/09 12:08:36, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/01/09 12:08:36, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=1001))] [2004/01/09 12:08:36, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680) init_group_from_ldap: Entry found for group: 1001 [2004/01/09 12:08:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/01/09 12:08:36, 10] passdb/passdb.c:local_gid_to_sid(1228) local_gid_to_sid: gid (1001) - SID S-1-5-21-3723159834-3326906825-3408399175-3003. [2004/01/09 12:08:36, 10] passdb/lookup_sid.c:gid_to_sid(374) gid_to_sid: local 1001 - S-1-5-21-3723159834-3326906825-3408399175-3003 [2004/01/09 12:08:36, 10] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-3723159834-3326906825-3408399175-3016 contains 5 SIDs SID[ 0]: S-1-5-21-3723159834-3326906825-3408399175-3016 SID[ 1]: S-1-5-21-3723159834-3326906825-3408399175-3003 SID[ 2]: S-1-1-0 ... user_in_list: checking user management in list [2004/01/09 12:08:36, 10] lib/username.c:user_in_list(525) user_in_list: checking user
Re: Secondary Groups with ldapsam WAS: Re: [Samba] net groupmap / domain admins problem
Hi, the reason for the problem was the group entry in /etc/nsswitch.conf It was interpreted correctly by the systems tools like id, getent etc. With an strace -f on the following testprogram I have seen, that nsswitch.conf is opend, but libnss_ldap not... Therefore it doesn't use ldap for the getgrouplist systemcall samba uses.. I adjusted my nsswitch.conf in order to work with the testtool, and samba does to... Thank you for your help Greetings Hansjörg #include unistd.h #include grp.h #include sys/types.h #include stdlib.h int main(void) { int ngroups = 16; gid_t *groups = (gid_t *) malloc (ngroups * sizeof (gid_t)); gid_t secondaries[1024]; printf(%d\n, getgrouplist(root, 0, groups, ngroups)); } -- Dr. Hansjörg Maurer itsystems Deutschland AG Linprunstr. 10 D-80335 München Ph/Fax +49 89 52 04 68-41/-59 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc
Re: WAS: Re: [Samba] net groupmap / domain admins problem
Hi i switched to valid users = +managementgroup and still get 2004/01/08 10:46:52, 2] lib/access.c:check_access(324) Allowed connection from (192.168.1.100) [2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391) user 'sporer' (from session setup) not permitted to access this share (test) [2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED (changed thename of the share to test to avoid a naming conflict with user managment) [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\test Password: tree connect failed: NT_STATUS_ACCESS_DENIED [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\sporer Password: smb: \ [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\projekte-share Password: smb: \ With the share, wher sporer has the primary group in, it still works with the +sensodrivegroup Thank you Hansjörg John H Terpstra wrote: Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:44 AM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Andy, I would suggest you first make sure that all SIDs are consistent. The 3.0.0 packages you have should work. We can look to updating if you need to. - John T. On Thu, 8 Jan 2004, Andrew Judge wrote: samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:44 AM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 2004-01-08 at 08:50, Andrew Judge wrote: samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? at this point - I wouldn't Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Andrew, You have something rather strange going on here. The following is the result of running these steps on my system: frodo:/etc/samba # net setlocalsid S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # samba start Starting SAMBA nmbd : done cups on Waiting for cupsd to get ready done Starting SAMBA smbd : done Starting SAMBA winbind : done frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 Note: The SIDs are consistent. I have been unable to reproduce the observations you have. Please would you email me your secrets.tdb file (off-line). i'd like to see if there is something weird in it. Other than that, please move your secrets.tdb file to a backup location. Make sure samba is NOT running when you do this. Then delete the group_mapping.tdb file, then restart Samba. Then check the value of the Domain SID from: net getlocalsid net groupmap list I'd like to help track this one down. Cheers, John T. On Thu, 8 Jan 2004, Andrew Judge wrote: Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM
RE: [Samba] net groupmap / domain admins problem - Amazon prize
AH ha. John is the winner!!! I needed to delete the secrets.tdb file with the group_mapping.tdb John - email me off list and let me know how you want your gift certificate. Thanks for all your help. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:09 PM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Andrew, You have something rather strange going on here. The following is the result of running these steps on my system: frodo:/etc/samba # net setlocalsid S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # samba start Starting SAMBA nmbd : done cups on Waiting for cupsd to get ready done Starting SAMBA smbd : done Starting SAMBA winbind : done frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 Note: The SIDs are consistent. I have been unable to reproduce the observations you have. Please would you email me your secrets.tdb file (off-line). i'd like to see if there is something weird in it. Other than that, please move your secrets.tdb file to a backup location. Make sure samba is NOT running when you do this. Then delete the group_mapping.tdb file, then restart Samba. Then check the value of the Domain SID from: net getlocalsid net groupmap list I'd like to help track this one down. Cheers, John T. On Thu, 8 Jan 2004, Andrew Judge wrote: Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing
Re: WAS: Re: [Samba] net groupmap / domain admins problem
Hi, I also deleted my /var/lib/samba/group_mapping.tdb as you suggested in your mail before (I am using ldapsam, but I was afraid that there might be something left after the installation) But unfortunatly it does not work. My groupmap seems to be ok ok time for going to sleep :) greetings from munich hansjörg [EMAIL PROTECTED] root]# net groupmap list Domain Admins (S-1-5-21-3723159834-3326906825-3408399175-512) - Domain Admins Domain Users (S-1-5-21-3723159834-3326906825-3408399175-513) - Domain Users Domain Guests (S-1-5-21-3723159834-3326906825-3408399175-514) - Domain Guests Administrators (S-1-5-21-3723159834-3326906825-3408399175-544) - Administrators Users (S-1-5-21-3723159834-3326906825-3408399175-545) - Users Guests (S-1-5-21-3723159834-3326906825-3408399175-546) - Guests Power Users (S-1-5-21-3723159834-3326906825-3408399175-547) - Power Users Account Operators (S-1-5-21-3723159834-3326906825-3408399175-548) - Account Operators Server Operators (S-1-5-21-3723159834-3326906825-3408399175-549) - Server Operators Print Operators (S-1-5-21-3723159834-3326906825-3408399175-550) - Print Operators Backup Operators (S-1-5-21-3723159834-3326906825-3408399175-551) - Backup Operators Replicators (S-1-5-21-3723159834-3326906825-3408399175-552) - Replicator Domain Computers (S-1-5-21-3723159834-3326906825-3408399175-553) - Domain Computers sensodrivegroup (S-1-5-21-3723159834-3326906825-3408399175-3001) - sensodrivegroup Managementgroup (S-1-5-21-3723159834-3326906825-3408399175-3003) - managementgroup H Hansjoerg Maurer sagte: Hi i switched to valid users = +managementgroup and still get 2004/01/08 10:46:52, 2] lib/access.c:check_access(324) Allowed connection from (192.168.1.100) [2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391) user 'sporer' (from session setup) not permitted to access this share (test) [2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED (changed thename of the share to test to avoid a naming conflict with user managment) [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\test Password: tree connect failed: NT_STATUS_ACCESS_DENIED [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\sporer Password: smb: \ [EMAIL PROTECTED] root]# smbclient -U sporer LINA\\projekte-share Password: smb: \ With the share, wher sporer has the primary group in, it still works with the +sensodrivegroup Thank you Hansjörg John H Terpstra wrote: Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
John, I actually did try this out +groupe name, I don't believe I could get it to work. I tryed many variations. I guess I need to experiment more with how nsswitch.conf and how pam is configured. I'm not real knowledgeable in this area. I found an interesting work around for those of you looking for mapping drives from login scripts based on secondary + groups. /etc/group dusers:x:500: staff:x:680:kent,fred,joe /etc/passwd kent:x:4044:500::/accounts/staff/kent:/bin/bash ksnider:x:4045:500::/accounts/staff/fred:/bin/bash joe:x:4045:500::/accounts/staff/joe:/bin/bash Users primary group is dusers 500 but have secondary group staff 680. In netlogon directory I put directory same name as share for example: netlogon/staff-files In the directory put single file secured by directory permissions example: netlogon/staff-files/readme directory permissions on staff-files directory in netlogon (0750) drwxr-x---2 root staff 4096 Jan 7 07:40 staff-files share is smb.conf: [staff-files] comment = Staff Files path = /accounts/staff/staff-files valid users = @staff write list = @staff In netlogon script reads as follows: if exist \\SERVERNAME\netlogon\staff-files net use S: \\SERVERNAME\staff-files Samba checks local Linux groups and if user is in group he/she is capable of reading file, drive is mapped. Of course I wish all this info was in LDAP so I wouldn't have to mess with local groups but Christmas has gone by and I didn't find this solution in my stocking. I can't take any credit for this idea. I found it in a 1999 posting but it's a temporary fix for something that I believe many of us are seeking. Just have to say this stuff is marvelous. I've been utterly frustrated and amazed at the versatilaty of Samba. Thanks for you support. On Thu, 2004-01-08 at 03:54, John H Terpstra wrote: Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjrg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you
[Samba] net groupmap / domain admins problem - Amazon prize
I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. Andy Judge -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap / domain admins problem - Amazon prize
On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap
Hi everyone, What means parameter [type={domain|local|builtin}] in net groupmap (samba 3.0.0)? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Net groupmap fails
I have yet to get group mapping to work in samba 3.0. Getting very frustrated. I'm using openldap 2.1.23 as the backend database for samba 3.0.0. I've added the base domain groups as posixAccounts to the LDAP database using smbldap-populate.pl. [EMAIL PROTECTED]:/usr/local/etc/openldap# ldapsearch -xv -b o=30greatneck,dc=home,dc=net # Administrator, Users, 30GreatNeck, home.net dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /accounts sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2996 loginShell: /bin/false gecos: Netbios Domain Administrator # nobody, Users, 30GreatNeck, home.net dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514 sambaLMPassword: NO PASSWORDX sambaNTPassword: NO PASSWORDX sambaAcctFlags: [NU ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2998 loginShell: /bin/false # Domain Admins, Groups, 30GreatNeck, home.net # Domain Admins, Groups, 30GreatNeck, home.net dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators (need smb.conf configuration) # Domain Users, Groups, 30GreatNeck, home.net dn: cn=Domain Users,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 513 cn: Domain Users description: Netbios Domain Users (not implemented yet) memberUid: kent # Domain Guests, Groups, 30GreatNeck, home.net dn: cn=Domain Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users (not implemented yet) # Administrators, Groups, 30GreatNeck, home.net dn: cn=Administrators,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName (not implemented yet) # Users, Groups, 30GreatNeck, home.net dn: cn=Users,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 545 cn: Users description: Netbios Domain Ordinary users (not implemented yet) # Guests, Groups, 30GreatNeck, home.net dn: cn=Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 546 cn: Guests memberUid: nobody description: Netbios Domain Users granted guest access to the computer/sambaDo mainName (not implemented yet) # Power Users, Groups, 30GreatNeck, home.net dn: cn=Power Users,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 547 cn: Power Users description: Netbios Domain Members can share directories and printers (not im plemented yet) # Account Operators, Groups, 30GreatNeck, home.net dn: cn=Account Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts (not implemente d yet) # Server Operators, Groups, 30GreatNeck, home.net dn: cn=Server Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 549 cn: Server Operators description: Netbios Domain Server Operators (need smb.conf configuration) # Print Operators, Groups, 30GreatNeck, home.net dn: cn=Print Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 550 cn: Print
Re: Réf. : [Samba] Net groupmap fails
Stephanie, Thank you for your help. I tryed what you suggest but no luck.. I get this: [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup=Domain Admins unixgroup=Domain Admins rid=512 Can't lookup UNIX group Domain Admins Is there something with initial compiling samba 3.0.0 that would disable this? All the documentation that I've seen makes it look so easy, but I can't get it to work. On Fri, 2003-11-07 at 06:48, [EMAIL PROTECTED] wrote: try /usr/local/samba/bin/net groupmap add ntgroup=Domain Admins unixgroup=Domain Admins rid=512 dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup This group is the unix group. --- Stphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Kent L. Nasveschuk [EMAIL PROTECTED] Envoy par : Pour : Samba List Server [EMAIL PROTECTED] [EMAIL PROTECTED]cc : .samba.org Objet : [Samba] Net groupmap fails 07/11/2003 12:31 I have yet to get group mapping to work in samba 3.0. Getting very frustrated. I'm using openldap 2.1.23 as the backend database for samba 3.0.0. I've added the base domain groups as posixAccounts to the LDAP database using smbldap-populate.pl. [EMAIL PROTECTED]:/usr/local/etc/openldap# ldapsearch -xv -b o=30greatneck,dc=home,dc=net # Administrator, Users, 30GreatNeck, home.net dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /accounts sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2996 loginShell: /bin/false gecos: Netbios Domain Administrator # nobody, Users, 30GreatNeck, home.net dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514 sambaLMPassword: NO PASSWORDX sambaNTPassword: NO PASSWORDX sambaAcctFlags: [NU ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2998 loginShell: /bin/false # Domain Admins, Groups, 30GreatNeck, home.net # Domain Admins, Groups, 30GreatNeck, home.net dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators (need smb.conf configuration) # Domain Users, Groups, 30GreatNeck, home.net dn: cn=Domain Users,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 513 cn: Domain Users description: Netbios Domain Users (not implemented yet) memberUid: kent # Domain Guests, Groups, 30GreatNeck, home.net dn: cn=Domain Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass
Re: Rf. : [Samba] Net groupmap fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kent L. Nasveschuk wrote: | [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup=Domain | Admins unixgroup=Domain Admins rid=512 | Can't lookup UNIX group Domain Admins | | Is there something with initial compiling samba 3.0.0 that would disable | this? All the documentation that I've seen makes it look so easy, but I | can't get it to work. Should work as far as I can tell. try running ~ net groupmap add ntgroup=Domain Admins \ ~ unixgroup=Domain Admins rid=512 --debuglevel=10 and see if you get any clues. cheers, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ You can never go home again, Oatman, but I guess you can shop there. ~--John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q7rgIR7qMdg1EfYRApNLAJ9Vl+zRDF6dcF/ILcLBXx1KUyEniQCg2jm8 awcVVG2Haash31wV5FKIRvo= =AzvU -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
On Fri, 7 Nov 2003, Kent L. Nasveschuk wrote: Stephanie, Thank you for your help. I tryed what you suggest but no luck.. I get this: [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup=Domain Admins unixgroup=Domain Admins rid=512 Can't lookup UNIX group Domain Admins Is there something with initial compiling samba 3.0.0 that would disable this? All the documentation that I've seen makes it look so easy, but I can't get it to work. No. You need to add scripts that will work on your system for entries like: add machine script add user script add group script Here are the minimal entries for my current network configuration: add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupadd %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u I hope this helps you. Note: The Linux groupadd utility will NOT allow you to add a group that has upper case characters or spaces in it! Cheers, John T. On Fri, 2003-11-07 at 06:48, [EMAIL PROTECTED] wrote: try /usr/local/samba/bin/net groupmap add ntgroup=Domain Admins unixgroup=Domain Admins rid=512 dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup This group is the unix group. --- Stphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Kent L. Nasveschuk [EMAIL PROTECTED] Envoy par : Pour : Samba List Server [EMAIL PROTECTED] [EMAIL PROTECTED]cc : .samba.org Objet : [Samba] Net groupmap fails 07/11/2003 12:31 I have yet to get group mapping to work in samba 3.0. Getting very frustrated. I'm using openldap 2.1.23 as the backend database for samba 3.0.0. I've added the base domain groups as posixAccounts to the LDAP database using smbldap-populate.pl. [EMAIL PROTECTED]:/usr/local/etc/openldap# ldapsearch -xv -b o=30greatneck,dc=home,dc=net # Administrator, Users, 30GreatNeck, home.net dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /accounts sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2996 loginShell: /bin/false gecos: Netbios Domain Administrator # nobody, Users, 30GreatNeck, home.net dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\Lnxsrv2\accounts sambaHomeDrive: H: sambaProfilePath: \\Lnxsrv2\profiles\ sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514 sambaLMPassword: NO PASSWORDX sambaNTPassword: NO PASSWORDX sambaAcctFlags: [NU ] sambaSID: S-1-5-21-739112995-4084651483-89095900-2998 loginShell: /bin/false # Domain Admins, Groups, 30GreatNeck, home.net # Domain Admins, Groups, 30GreatNeck, home.net dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators (need smb.conf configuration) # Domain Users, Groups, 30GreatNeck, home.net dn: cn=Domain Users,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 513 cn: Domain Users description: Netbios Domain Users (not implemented yet) memberUid: kent # Domain Guests, Groups, 30GreatNeck, home.net dn: cn=Domain Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net objectClass: posixGroup gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users (not implemented yet) # Administrators, Groups, 30GreatNeck, home.net dn: cn=Administrators,ou=Groups,o=30GreatNeck,dc
Re: Rf. : [Samba] Net groupmap fails
On Fri, 7 Nov 2003, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kent L. Nasveschuk wrote: | [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup=Domain | Admins unixgroup=Domain Admins rid=512 | Can't lookup UNIX group Domain Admins | | Is there something with initial compiling samba 3.0.0 that would disable | this? All the documentation that I've seen makes it look so easy, but I | can't get it to work. Should work as far as I can tell. try running ~ net groupmap add ntgroup=Domain Admins \ ~ unixgroup=Domain Admins rid=512 --debuglevel=10 and see if you get any clues. Hint: Make sure that you have all your add scripts in place. Also, make sure that these scripts can handle object names that have upper case characters and/or spaces in them. PS: groupadd does NOT permit spaces or upper case characters in a group name. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John H Terpstra wrote: |Should work as far as I can tell. try running | |~ net groupmap add ntgroup=Domain Admins \ |~ unixgroup=Domain Admins rid=512 --debuglevel=10 | |and see if you get any clues. | | | Hint: Make sure that you have all your add scripts | in place. Also, make sure that these scripts can handle | object names that have upper case characters and/or | spaces in them. Does matter here. net group map doesn't run them for you anyways. And in this case the group already existed. | PS: groupadd does NOT permit spaces or upper case | characters in a group name. In the unix group name? or the nt group name? I know the ntgroup name is fine. If the unix group name won't accept spaces, then this is a bug. (which is why I asked for a log to start with). ciao, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q8OvIR7qMdg1EfYRAsyGAKDtVsl4h/vIi+E1ZuMjuV368esfwwCgxZ8W gDyTYIou+TeI+46od+gdbxU= =YkeB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
On Fri, 7 Nov 2003, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John H Terpstra wrote: |Should work as far as I can tell. try running | |~ net groupmap add ntgroup=Domain Admins \ |~ unixgroup=Domain Admins rid=512 --debuglevel=10 | |and see if you get any clues. | | | Hint: Make sure that you have all your add scripts | in place. Also, make sure that these scripts can handle | object names that have upper case characters and/or | spaces in them. Does matter here. net group map doesn't run them for you anyways. And in this case the group already existed. It matters if you do a net rpc vampire, which does call the add X scripts. | PS: groupadd does NOT permit spaces or upper case | characters in a group name. In the unix group name? or the nt group name? I know the ntgroup name is fine. If the unix group name won't accept spaces, then this is a bug. (which is why I asked for a log to start with). Please note that I specifically said that the groupadd utility does not permit uppercase of spaces. Linux works fine with groups that have up to 32 characters, even with uppercase and spaces. It is the groupadd utility that is broken in Linux distributions. This utility is part of the shadow-utils package.I wrote to the maintainer a long time back but have not had any reply. I also tried to pursue this through other avenues who simply told me to suck it up - lower case is the UNIX way!. :) Go figure! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
When I ran smbldap_populate.pl the objectclass sambaGroupMapping was not present.I don't know if it is supposed to be created or not but when I used ldapmodify with and a file that contained: dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net add: objectclass objectclass: sambaGroupMapping sambaSID: S-1-5-21-739112995-4084651483-89095900-512 sambaGroupType: 2 Now when I run net groupmap list I get Domain Admins (S-1-5-21...512) = 512 Guess I will have to do that with all of the groups created by smbldap-populate.pl. found at archive: http://www.mail-archive.com/[EMAIL PROTECTED]/msg21134.html Am I doing this right? On Fri, 2003-11-07 at 10:31, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kent L. Nasveschuk wrote: | [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup=Domain | Admins unixgroup=Domain Admins rid=512 | Can't lookup UNIX group Domain Admins | | Is there something with initial compiling samba 3.0.0 that would disable | this? All the documentation that I've seen makes it look so easy, but I | can't get it to work. Should work as far as I can tell. try running ~ net groupmap add ntgroup=Domain Admins \ ~ unixgroup=Domain Admins rid=512 --debuglevel=10 and see if you get any clues. cheers, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ You can never go home again, Oatman, but I guess you can shop there. ~--John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q7rgIR7qMdg1EfYRApNLAJ9Vl+zRDF6dcF/ILcLBXx1KUyEniQCg2jm8 awcVVG2Haash31wV5FKIRvo= =AzvU -END PGP SIGNATURE- -- Kent L. Nasveschuk [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
Did run a lower debug level -d 2 which gave me a clue that there was no objectclass sambaGroupMapping. Kent On Fri, 2003-11-07 at 11:09, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John H Terpstra wrote: |Should work as far as I can tell. try running | |~ net groupmap add ntgroup=Domain Admins \ |~ unixgroup=Domain Admins rid=512 --debuglevel=10 | |and see if you get any clues. | | | Hint: Make sure that you have all your add scripts | in place. Also, make sure that these scripts can handle | object names that have upper case characters and/or | spaces in them. Does matter here. net group map doesn't run them for you anyways. And in this case the group already existed. | PS: groupadd does NOT permit spaces or upper case | characters in a group name. In the unix group name? or the nt group name? I know the ntgroup name is fine. If the unix group name won't accept spaces, then this is a bug. (which is why I asked for a log to start with). ciao, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q8OvIR7qMdg1EfYRAsyGAKDtVsl4h/vIi+E1ZuMjuV368esfwwCgxZ8W gDyTYIou+TeI+46od+gdbxU= =YkeB -END PGP SIGNATURE- -- Kent L. Nasveschuk [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John H Terpstra wrote: |Does matter here. net group map doesn't run them and this was supposed to does not. Sorry for the typo. |for you anyways. And in this case the group already |existed. | | | It matters if you do a net rpc vampire, which does | call the add X scripts. Right. I know this. I've worked on that code a fair amount. :-) But that is not what we are doing here. Let's not confuse the issue. | Please note that I specifically said that the groupadd | utility does not permit uppercase of spaces. Linux works | fine with groups that have up to 32 characters, even | with uppercase and spaces. ok. but i'll point out that you are confusing the issue again. Let's stay on topic here. We are dealing with ldap posixGroups here. ciao, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q8r2IR7qMdg1EfYRApYDAJwNkDvotJj3bjAufwtp4vZ+LbOXSwCZAYg9 e+k0mFmgYx3mse2+80NmWmA= =q3hV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kent L. Nasveschuk wrote: | Did run a lower debug level -d 2 which gave me a clue that there was no | objectclass sambaGroupMapping. There shoudl be no match it you haven't added a group mapping entry. You've bypassed the problem but not helped me to figure out why it was failing in this place. cheers, jerry - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q9GYIR7qMdg1EfYRAoGjAJ4xKnOC12vNc8Ylr5Sg9p6ANXL6RwCfVSR+ HvFxGmmg90drgJGAoeUEz4o= =e+IK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap modify bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kristyan Osborne wrote: | Hi, | | After a successful upgrade from samba3alpha19 to samba3.0.1pre1 I am now doing the group mapping stage. | | The problem I am having is modifying a group in the LDAP directory. I | am using net groupmap modify ntgroup=staff unixgroup=staff | type=domain. I think this might have just been fixed in the CVS tree today. If not let me know. | [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) | ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=203))] | net: decode.c:500: ber_scanf: Assertion `(( ber )-ber_opts.lbo_valid==0x2)' failed. cheers, jerry ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ You can never go home again, Oatman, but I guess you can shop there. ~--John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/oYRWIR7qMdg1EfYRAodRAKC/w0mFNSe0EjKPXEDFJ5E7crIY6ACfQ97w AoG51OQ/2yeuUFNwVvfpAJ8= =smaD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap modify bug
Hi, After a successful upgrade from samba3alpha19 to samba3.0.1pre1 I am now doing the group mapping stage. The problem I am having is modifying a group in the LDAP directory. I am using net groupmap modify ntgroup=staff unixgroup=staff type=domain. The error it is coming up with is [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=203))] net: decode.c:500: ber_scanf: Assertion `(( ber )-ber_opts.lbo_valid==0x2)' failed. Aborted Is this a bug in the code or am I doing something silly?? I have attached to the bottom a level 10 debug of the net command Cheers - Kristyan Osborne - IT Technician / Community Manager Longhill High School 01273 391672 / 304086 -- Computers are like airconditioners: They stop working properly if you open windows. Win95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition. [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(431) Attempting to find an passdb backend to match ldapsam:ldap://10.108.1.87 (ldapsam) [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(452) Found pdb backend ldapsam [2003/10/29 17:21:39, 2] lib/smbldap.c:smbldap_search_domain_info(1295) Searching for:[((objectClass=sambaDomain)(sambaDomainName=LONGHILL))] [2003/10/29 17:21:39, 2] lib/smbldap.c:smbldap_search_suffix(1066) smbldap_search_suffix: searching for:[((objectClass=sambaDomain)(sambaDomainName=LONGHILL))] [2003/10/29 17:21:39, 10] lib/smbldap.c:smbldap_open_connection(527) smbldap_open_connection: ldap://10.108.1.87 [2003/10/29 17:21:39, 2] lib/smbldap.c:smbldap_open_connection(623) smbldap_open_connection: connection opened [2003/10/29 17:21:39, 10] lib/smbldap.c:smbldap_connect_system(750) ldap_connect_system: Binding to ldap server ldap://10.108.1.87 as cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk [2003/10/29 17:21:39, 3] lib/smbldap.c:smbldap_connect_system(785) ldap_connect_system: succesful connection to the LDAP server [2003/10/29 17:21:39, 4] lib/smbldap.c:smbldap_open(836) The LDAP server is succesful connected [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(455) pdb backend ldapsam:ldap://10.108.1.87 has a valid init [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(431) Attempting to find an passdb backend to match guest (guest) [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(452) Found pdb backend guest [2003/10/29 17:21:39, 5] passdb/pdb_interface.c:make_pdb_methods_name(455) pdb backend guest has a valid init [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(|(displayName=staff)(cn=staff)))] [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(1659) init_group_from_ldap: Entry found for group: 203 [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-3582397119-3001034316-1885025900-1407))] [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(1659) init_group_from_ldap: Entry found for group: 203 [2003/10/29 17:21:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1615) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=203))] net: decode.c:500: ber_scanf: Assertion `(( ber )-ber_opts.lbo_valid==0x2)' failed. Aborted -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap modify ntgroup=Domain Admins ... succeeds but fails
After reading through the documentation, I realized that as a part of the migration process from Samba-2.2.X to Samba-3.0.0 I needed to convert everyone in my smbadmin group (previously domain admin group = @smbadmin) to the Domain Admins group w/rid=512. So, I issued the following command: [EMAIL PROTECTED] profile]# net groupmap modify ntgroup=Domain Admins unixgroup=smbadmin The command succeded as was evidenced by net groupmap list: [EMAIL PROTECTED] profile]# net groupmap list System Operators (S-1-5-32-549) - -1 ... Domain Admins (S-1-5-21-3270268339-1200857648-3960152354-512) - smbadmin My understanding of the documentation is that the Domain Admins group is automatically added to the Administrators on all machines that are a member of the domain, however, when I try to log into any of these machines as an administrator, I authenticate successfully but am not considered to be an administrator. To get around this for now, I logged onto the given local machine, went to the user management section, and added the individual account to the Administrators group. This is a rough hack, but works. What am I doing wrong? How come I'm an administrator without any administrator permissions? Thanks. --Kaleb -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap modify ntgroup=Domain Admins ... succeeds but fails
On Wednesday 15 October 2003 16:20, Kaleb Pederson wrote: What am I doing wrong? How come I'm an administrator without any administrator permissions? I think I had to restart Samba after doing this to make it effective. -- Chris Do not reply to the email address. Please use the contact page below for any desired direct replies. Apologies for the inconvenience. realcomputerguy dot com slash contact dot html -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap modify ntgroup=Domain Admins ... succeeds but fails
On Wednesday 15 October 2003 01:29 pm, you wrote: On Wednesday 15 October 2003 16:20, Kaleb Pederson wrote: What am I doing wrong? How come I'm an administrator without any administrator permissions? I think I had to restart Samba after doing this to make it effective. Thanks Chris, that did it! For some reason I assumed that since it was associated with the user that it would be read in as soon as I logged back in and didn't require a samba restart? Apparently that's not the case. Thanks again. --Kaleb -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap modify ntgroup=Domain Admins ... succeeds but fails
Kaleb Pederson a écrit : After reading through the documentation, I realized that as a part of the migration process from Samba-2.2.X to Samba-3.0.0 I needed to convert everyone in my smbadmin group (previously domain admin group = @smbadmin) to the Domain Admins group w/rid=512. So, I issued the following command: [EMAIL PROTECTED] profile]# net groupmap modify ntgroup=Domain Admins unixgroup=smbadmin The command succeded as was evidenced by net groupmap list: [EMAIL PROTECTED] profile]# net groupmap list System Operators (S-1-5-32-549) - -1 ... Domain Admins (S-1-5-21-3270268339-1200857648-3960152354-512) - smbadmin My understanding of the documentation is that the Domain Admins group is automatically added to the Administrators on all machines that are a member of the domain, however, when I try to log into any of these machines as an administrator, I authenticate successfully but am not considered to be an administrator. To get around this for now, I logged onto the given local machine, went to the user management section, and added the individual account to the Administrators group. This is a rough hack, but works. What am I doing wrong? How come I'm an administrator without any administrator permissions? Thanks. --Kaleb administrator is a member of smbadmin group ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap displays multiples
A net groupmap list show 2 each of Domain Admins and Domain Guests as marked below with ** and *** respectively. System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 **Domain Admins (S-1-5-21-1068423669-2868761170-579274183-512) - -1 Account Operators (S-1-5-32-548) - -1 ***Domain Guests (S-1-5-21-1068423669-2868761170-579274183-514) - -1 Domain Users (S-1-5-21-1068423669-2868761170-579274183-513) - users **Domain Admins (S-1-5-21-2884117546-2866258145-1073336595-512) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 ***Domain Guests (S-1-5-21-2884117546-2866258145-1073336595-514) - -1 A net groupmap delete ntgroup=Domain Admins looks like it works: Sucessfully removed Domain Admins from the mapping db but yet the multiples remain. Is this normal and if not what can or should be done. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap displays multiples
On Sat, 27 Sep 2003, Chris Smith wrote: A net groupmap list show 2 each of Domain Admins and Domain Guests as marked below with ** and *** respectively. System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 **Domain Admins (S-1-5-21-1068423669-2868761170-579274183-512) - -1 Account Operators (S-1-5-32-548) - -1 ***Domain Guests (S-1-5-21-1068423669-2868761170-579274183-514) - -1 Domain Users (S-1-5-21-1068423669-2868761170-579274183-513) - users **Domain Admins (S-1-5-21-2884117546-2866258145-1073336595-512) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 ***Domain Guests (S-1-5-21-2884117546-2866258145-1073336595-514) - -1 A net groupmap delete ntgroup=Domain Admins looks like it works: Sucessfully removed Domain Admins from the mapping db but yet the multiples remain. Is this normal and if not what can or should be done. It looks here as if you changed either the domain name or the machine name of your Samba server. That will result in the duplicate entries you see here. To correct this, stop Samba, delete the group_mapping.tdb file. Then restart Samba and do not forget to map your Domain groups to valid UNIX groups. The Domain Admins group (RID=512) should be mapped to root (GID=0) so that you have true equivalency of administrative rights in both Windows and UNIX environments. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap displays multiples
On Saturday 27 September 2003 21:08, John H Terpstra wrote: It looks here as if you changed either the domain name or the machine name of your Samba server. That will result in the duplicate entries you see here. OK, this probably happened during a reasonably sloppy install - I didn't quite know all the details (this is not to say that I know them now!). I had a standard SuSE 7.3 setup with Samba 2.2.7a and decided to compile 3.0 and install it in the default directories. So there were a few attempts at starting the new version with no to poor results before I finally found all the files (I think so, anyway) that needed to be copied from the default SuSE directories to the default 3.0 directories. To correct this, stop Samba, delete the group_mapping.tdb file. Then restart Samba and do not forget to map your Domain groups to valid UNIX groups. Yes, very good, that did it. The Domain Admins group (RID=512) should be mapped to root (GID=0) so that you have true equivalency of administrative rights in both Windows and UNIX environments. A possibility but I will pass on that for now as I don't fully know the ramifications of adding a user to the root group in Linux (but would certainly like to know). Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Net groupmap problem.
Hi, I am trying to use samba3.0.0beta2 as PDC with openldap. Everything works. I can create unix user on LDAP sever and then create samba user with smbpasswd -a command. The only problem so far is net commands. First of all when I tried to list all users with net user command I can only do it with user name and password which exist on LDAP. The rootdn and password stored in secrets.tdb file doesn't work. I also created unix admin group and tried to map it to NT Domain Admins group using net groupmap add command. When I executed the command net groupmap add sid=S-... ntgroup=Domain Admins unixgroup=sysadm the ouput was: Successully added group Domain Admins to the mapping db But nothing happened. When I tried to list groups with command net groupmap list nothing was listed. What is wrong? Is samba3 fully functional with LDAP? Regards, Ely Zavin. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap syntax ?!?
net groupmap modify unixgroup=smbadmin ntgroup=Domain Admins does the job regards -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10 Jun 2003, Holger Brückner wrote: hello, trying to follow the example im the howto-collection. this is a samba 3.0beta-1 from debian, recompiled with ldapsam support refering to the howto, the following command should work: net groupmap add unixgroup=smbadmin ntgroup=Domain Admins unfortunately ist just says: svpdc:~# net groupmap add unixgroup=smbadmin ntgroup=Domain Admins Usage: net groupmap add {rid=int|sid=string} unixgroup=string [type=domain|local|builtin] [ntgroup=string] [comment=string] give it a rid or SID. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+9mzgIR7qMdg1EfYRAmtSAKCfFnr7CUsYLTgt8VDrnyGq1oVfcgCgwvgZ nlVpRieIpns5WjjYGr6lR0Q= =SLXC -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap syntax ?!?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10 Jun 2003, Holger Brückner wrote: hello, trying to follow the example im the howto-collection. this is a samba 3.0beta-1 from debian, recompiled with ldapsam support refering to the howto, the following command should work: net groupmap add unixgroup=smbadmin ntgroup=Domain Admins unfortunately ist just says: svpdc:~# net groupmap add unixgroup=smbadmin ntgroup=Domain Admins Usage: net groupmap add {rid=int|sid=string} unixgroup=string [type=domain|local|builtin] [ntgroup=string] [comment=string] give it a rid or SID. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+9mzgIR7qMdg1EfYRAmtSAKCfFnr7CUsYLTgt8VDrnyGq1oVfcgCgwvgZ nlVpRieIpns5WjjYGr6lR0Q= =SLXC -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap question
Hi .. Thanks! It works now. However, I still get lots of the following in logs (which is why I'm worrying about groupmaps in the first place): [2003/06/16 10:04:35, 0] rpc_server/srv_util.c:get_domain_user_groups(347) get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that What do these mean? Another selly question, if anyone is patient enough to answer it, what's the use of groupmaps? When would one need them? Many thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Sun, 15 Jun 2003, Sameer Zeidat wrote: Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? Did you do it this way? net groupmap modify ntgroup=Domain Users unixgroup=users Note the word modify above. This one bit me hard too. :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap question
On Mon, 16 Jun 2003, Sameer Zeidat wrote: Hi .. Thanks! It works now. However, I still get lots of the following in logs (which is why I'm worrying about groupmaps in the first place): [2003/06/16 10:04:35, 0] rpc_server/srv_util.c:get_domain_user_groups(347) get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that What do these mean? You need to map the primary gid of your users to be Domain Users or some other Domain group. ie: If your users all have primary group 100 == users (unix) then: net groupmap modify ntgroup=Domain Users unixgroup=users This should get rid of the warning messages. Another selly question, if anyone is patient enough to answer it, what's the use of groupmaps? When would one need them? To map NTgroups to Unix groups. Mostly done so you can set file system permissions. - John T. Many thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Sun, 15 Jun 2003, Sameer Zeidat wrote: Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? Did you do it this way? net groupmap modify ntgroup=Domain Users unixgroup=users Note the word modify above. This one bit me hard too. :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap question
Hi .. Can you give more details regarding groupmaps usage. The only difference that I've noticed after doing the mapping is the names of groups in windows security settings boxes. For example, instead of 'users' it's now showing 'Domain Users', instead of 'root' it's now showing 'Domain Admins'. Is it just this butification effect?! Underlying, the acl entries (if acl is enabled) or regular file modes are applied in the same manner regardless if mapping is done or not. Things I'm wondering about: - Do groupmaps have any effect on samba if 'domain logons' (PDC) is on? - Do groupmaps and idmaps realte (functionally) to each other in any manner? Many Thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Mon, 16 Jun 2003, Sameer Zeidat wrote: Hi .. Thanks! It works now. However, I still get lots of the following in logs (which is why I'm worrying about groupmaps in the first place): [2003/06/16 10:04:35, 0] rpc_server/srv_util.c:get_domain_user_groups(347) get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that What do these mean? You need to map the primary gid of your users to be Domain Users or some other Domain group. ie: If your users all have primary group 100 == users (unix) then: net groupmap modify ntgroup=Domain Users unixgroup=users This should get rid of the warning messages. Another selly question, if anyone is patient enough to answer it, what's the use of groupmaps? When would one need them? To map NTgroups to Unix groups. Mostly done so you can set file system permissions. - John T. Many thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Sun, 15 Jun 2003, Sameer Zeidat wrote: Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? Did you do it this way? net groupmap modify ntgroup=Domain Users unixgroup=users Note the word modify above. This one bit me hard too. :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap question
Sameer, Sorry, further information needs to wait until current work in this area is complete. This stuff will be much better documented in the HOWTO Collection before samba-3.0.0 ships. - John T. On Mon, 16 Jun 2003, Sameer Zeidat wrote: Hi .. Can you give more details regarding groupmaps usage. The only difference that I've noticed after doing the mapping is the names of groups in windows security settings boxes. For example, instead of 'users' it's now showing 'Domain Users', instead of 'root' it's now showing 'Domain Admins'. Is it just this butification effect?! Underlying, the acl entries (if acl is enabled) or regular file modes are applied in the same manner regardless if mapping is done or not. Things I'm wondering about: - Do groupmaps have any effect on samba if 'domain logons' (PDC) is on? - Do groupmaps and idmaps realte (functionally) to each other in any manner? Many Thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Mon, 16 Jun 2003, Sameer Zeidat wrote: Hi .. Thanks! It works now. However, I still get lots of the following in logs (which is why I'm worrying about groupmaps in the first place): [2003/06/16 10:04:35, 0] rpc_server/srv_util.c:get_domain_user_groups(347) get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that What do these mean? You need to map the primary gid of your users to be Domain Users or some other Domain group. ie: If your users all have primary group 100 == users (unix) then: net groupmap modify ntgroup=Domain Users unixgroup=users This should get rid of the warning messages. Another selly question, if anyone is patient enough to answer it, what's the use of groupmaps? When would one need them? To map NTgroups to Unix groups. Mostly done so you can set file system permissions. - John T. Many thanks .. --- John H Terpstra [EMAIL PROTECTED] wrote: On Sun, 15 Jun 2003, Sameer Zeidat wrote: Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? Did you do it this way? net groupmap modify ntgroup=Domain Users unixgroup=users Note the word modify above. This one bit me hard too. :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- John H Terpstra Email: [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap question
Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? TIA, __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap question
On Sun, 15 Jun 2003, Sameer Zeidat wrote: Hi .. Can anyone help with this: Samba-3.0.0beta1 running in a stand-alone mode, tdbsam backend, no idmap options set. When I add a group map using net groupmap between unix:root and nt:Domain Admins, I get a successfull status message. Yet when I do net groupmap list, all groups still point to -- -1 !! Am I missing something here?? Did you do it this way? net groupmap modify ntgroup=Domain Users unixgroup=users Note the word modify above. This one bit me hard too. :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap syntax ?!?
hello, trying to follow the example im the howto-collection. this is a samba 3.0beta-1 from debian, recompiled with ldapsam support refering to the howto, the following command should work: net groupmap add unixgroup=smbadmin ntgroup=Domain Admins unfortunately ist just says: svpdc:~# net groupmap add unixgroup=smbadmin ntgroup=Domain Admins Usage: net groupmap add {rid=int|sid=string} unixgroup=string [type=domain|local|builtin] [ntgroup=string] [comment=string] what am i doing wrong here ?!? smbadmin is in ldap as a posixGroup: svpdc:~# getent group smbadmin smbadmin:x:1008: thanks a lot Holger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap syntax ?!?
another strange thing i only get a listing of the buildingroups if i define smbpasswd as the first backend in smb.conf: passdb backend = smbpasswd ldapsam tdbsam guest svpdc:/etc/samba# net groupmap list System Operators (S-1-5-32-549) - -1 smbadmin (S-1-5-21-3839733233-2759951301-2176690758-3036) - smbadmin Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 .. passdb backend = ldapsam tdbsam smbpasswd guest svpdc:/etc/samba# net groupmap list svpdc:/etc/samba# ?!? ;) Holger On Tue, 2003-06-10 at 19:01, Holger Brückner wrote: hello, trying to follow the example im the howto-collection. this is a samba 3.0beta-1 from debian, recompiled with ldapsam support refering to the howto, the following command should work: net groupmap add unixgroup=smbadmin ntgroup=Domain Admins unfortunately ist just says: svpdc:~# net groupmap add unixgroup=smbadmin ntgroup=Domain Admins Usage: net groupmap add {rid=int|sid=string} unixgroup=string [type=domain|local|builtin] [ntgroup=string] [comment=string] what am i doing wrong here ?!? smbadmin is in ldap as a posixGroup: svpdc:~# getent group smbadmin smbadmin:x:1008: thanks a lot Holger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba