Re: [Samba] Having problems with Samba and openLDAP Groups
On Wed, Jun 3, 2009 at 9:47 PM, Liutauras Adomaitis liutauras.adomai...@gmail.com wrote: On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt m...@imparisystems.com wrote: On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote: On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt m...@imparisystems.com wrote: Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex You have 3 groups Staff and 2 users mib. This confuses me a bit. It may be your problem. I think you should have only one user mib. You should also make sure you have 1 group Staff. Check your net groupmap list to see how does Staff group maps to windows group. Liutauras Those are deleted entries - they don't show up in either the webmin module or phpldapadmin. Here's the results from the net groupmap list Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) - Domain Admins Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) - Domain Users Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) - Domain Guests Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) - Staff Hi, have you solved your problem? I've been busy a bit. You groupmap list looks nice, but I still think there is something to dig arround group membership. Some more things to check, if you didn't do that already: - smbldap-groupshow Staff - this should give an idea of gidNumber and SID of Staff group in ldap - do you run nscd? I had a lot of problems with it and ldap authentication. Samba Docs even say, that this is not supported if I remmeber correctly. nscd could be responsible of showing groups that are already deleted. - have tried using other group, like Domain Users. If it works with other group then it is problem with your group Staff. Liutauras PS one more thing to do nss_updatedb ldap group staff - this should refresh group memberships. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt m...@imparisystems.com wrote: On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote: On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt m...@imparisystems.com wrote: Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex You have 3 groups Staff and 2 users mib. This confuses me a bit. It may be your problem. I think you should have only one user mib. You should also make sure you have 1 group Staff. Check your net groupmap list to see how does Staff group maps to windows group. Liutauras Those are deleted entries - they don't show up in either the webmin module or phpldapadmin. Here's the results from the net groupmap list Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) - Domain Admins Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) - Domain Users Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) - Domain Guests Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) - Staff Hi, have you solved your problem? I've been busy a bit. You groupmap list looks nice, but I still think there is something to dig arround group membership. Some more things to check, if you didn't do that already: - smbldap-groupshow Staff - this should give an idea of gidNumber and SID of Staff group in ldap - do you run nscd? I had a lot of problems with it and ldap authentication. Samba Docs even say, that this is not supported if I remmeber correctly. nscd could be responsible of showing groups that are already deleted. - have tried using other group, like Domain Users. If it works with other group then it is problem with your group Staff. Liutauras -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex Run testparm - it will show some errors you have in your smb.conf file. Also run testparm command, it will show you some errors in your smb.conf file you have. testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [netlogon] Processing section [profiles] Processing section [printers] Processing section [print$] Processing section [bigdrive] Processing section [Business] Processing section [Editors] Processing section [Members] Processing section [Staff] WARNING: The only user option is deprecated Processing section [tmp] Loaded services file OK. Server role: ROLE_DOMAIN_PDC -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
[2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff Run testparm - it will show some errors you have in your smb.conf file. Also run testparm command, it will show you some errors in your smb.conf file you have. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba