Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

 I give all of your indexes in my conf but nothing changed:

ls -l *bdb
-rw--- 1 openldap openldap  61440 Dec  3 14:22 cn.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 dc.bdb
-rw--- 1 openldap openldap  28672 Dec  3 14:22 displayName.bdb
-rw--- 1 openldap openldap  40960 Dec  3 12:29 dn2id.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryCSN.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryUUID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 gidNumber.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 givenName.bdb
-rw--- 1 openldap openldap 294912 Dec  3 13:10 id2entry.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 loginShell.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 mail.bdb
-rw--- 1 openldap openldap  69632 Dec  3 14:22 memberUid.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 objectClass.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 ou.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaDomainName.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaGroupType.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSIDList.bdb
-rw--- 1 openldap openldap  40960 Dec  3 14:22 sn.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 uid.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 uidNumber.bdb
-rw--- 1 openldap openldap   8192 Nov 20 17:03 uniqueMember.bdb


Any other suggestion?


On Fri, Nov 30, 2012 at 6:16 PM, Harry Jede walk2...@arcor.de wrote:

 Am Donnerstag, 29. November 2012 schrieben Sie:
  I still dont understand why ldap search filter generated by samba ( i
  have this from samba log ) cannot find anything in database:
  smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter =
  [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
  21-2390795950-2727105968-4008069955*))],scope = [2], pagesize =
  [1024] [2012/11/29 18:15:14.227560,  3]
  lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
  search was successful
  [2012/11/29 18:15:14.227647,  3]
  rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
  destroying talloc pool of size 0
 
  If I remove sambaSID and try to find it in ldap, I will get all my
  groups. Filter =
  ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
 
  Is this normal behavior or my ldap configuration can be incorrect?
 That's not normal.

 What indexes have you set?
 # ldapsearch -LLLY external -H ldapi:///  -b cn=config (objectclass=*)
  olcDBIndex

 This are my indexes:
 dn: olcDatabase={1}hdb,cn=config
 olcDbIndex: objectClass eq
 olcDbIndex: uidNumber eq
 olcDbIndex: gidNumber eq
 olcDbIndex: loginShell eq
 olcDbIndex: uid eq,pres,sub
 olcDbIndex: memberUid eq,pres,sub
 olcDbIndex: uniqueMember eq,pres
 olcDbIndex: sambaSID eq
 olcDbIndex: sambaPrimaryGroupSID eq
 olcDbIndex: sambaGroupType eq
 olcDbIndex: sambaSIDList eq
 olcDbIndex: sambaDomainName eq
 olcDbIndex: displayName eq,sub
 olcDbIndex: givenName eq,sub
 olcDbIndex: mail eq,sub
 olcDbIndex: dhcpHWAddress eq
 olcDbIndex: dhcpClassData eq
 olcDbIndex: cn eq,pres,sub
 olcDbIndex: sn eq,pres,sub
 olcDbIndex: ou eq
 olcDbIndex: dc eq
 olcDbIndex: default sub

 And this shows the files:
 # cd /var/lib/ldap/
 # ls -l *bdb
 -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
 -rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
 -rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
 -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
 -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
 -rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
 -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
 -rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
 -rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
 -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
 -rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
 -rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
 -rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
 -rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
 -rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
 -rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
 root@capella:/var/lib/ldap#

 --

 Gruss
 Harry Jede
 --
 To unsubscribe from this list go to the following URL and read the
 instructions: 

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Am Donnerstag, 29. November 2012 schrieben Sie:
 I still dont understand why ldap search filter generated by samba ( i
 have this from samba log ) cannot find anything in database:
 smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter =
 [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
 21-2390795950-2727105968-4008069955*))],scope = [2], pagesize =
 [1024] [2012/11/29 18:15:14.227560,  3]
 lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
 search was successful
 [2012/11/29 18:15:14.227647,  3]
 rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
 destroying talloc pool of size 0
 
 If I remove sambaSID and try to find it in ldap, I will get all my
 groups. Filter =
 ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
 
 Is this normal behavior or my ldap configuration can be incorrect?
That's not normal.

What indexes have you set?
# ldapsearch -LLLY external -H ldapi:///  -b cn=config (objectclass=*)  
olcDBIndex

This are my indexes:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: displayName eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq,sub
olcDbIndex: dhcpHWAddress eq
olcDbIndex: dhcpClassData eq
olcDbIndex: cn eq,pres,sub
olcDbIndex: sn eq,pres,sub
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: default sub

And this shows the files:
# cd /var/lib/ldap/
# ls -l *bdb
-rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
-rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
-rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
-rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
-rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
-rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
-rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
-rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
-rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
-rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
root@capella:/var/lib/ldap# 

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

Hello again,

I do not know what

On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede walk2...@arcor.de wrote:

 On 20:15:56 wrote Andrej Šimko:
  net getdomainsid
  SID for local machine HOST is:
  S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
  S-1-5-21-2390795950-2727105968-4008069955
 
  I compared my smb.conf with yours. I have ldap suffix before
   ldap group suffix.
 
  I switched that but result still the same.
 
   ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null
  dn: cn=admin,dc=example,dc=sk
 
  tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
 
  ldapsearch -LLLY external -H ldapi:///
  ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
  =users))) 2/dev/null
  dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
  objectClass: sambaSidEntry
  objectClass: sambaGroupMapping
  sambaSID: S-1-5-32-545
  sambaGroupType: 4
  displayName: Users
  gidNumber: 1
  sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

 Sorry, that I haven't seen this in your mail at 09:07

 This is a working group object:

 # ldapsearch -LLLY external -H ldapi:///
 ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
 (uid=users)))  2/dev/null
 dn: cn=users,ou=groups,dc=europa,dc=xx
 objectClass: top
 objectClass: posixGroup
 objectClass: sambaGroupMapping
 gidNumber: 545
 cn: users
 description: Netbios Domain Users
 sambaSID: S-1-5-32-545
 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
 sambaGroupType: 4
 displayName: Users


 The main difference ist the objectclass posixGroup instead of
 sambaSidEntry.
 Samba Group Mapping is not a simple task. Your definition with
 objectclass=sambasidentry is not totally wrong, but the intended use is
 that you store your posixgroups in /etc/group or in NIS.
 With an LDAP backend that is not the best approach.


I dont understand what are you trying to say :(
Do you think that if I have all necessary groups in /etc/group or in NIS,
than the windows computer will find grups in domain?


I still dont understand why ldap search filter generated by samba ( i have
this from samba log ) cannot find anything in database:
  smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter =
[((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
= [2], pagesize = [1024]
[2012/11/29 18:15:14.227560,  3] lib/smbldap.c:1591(smbldap_search_paged)
  smbldap_search_paged: search was successful
[2012/11/29 18:15:14.227647,  3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
  free_pipe_context: destroying talloc pool of size 0

If I remove sambaSID and try to find it in ldap, I will get all my groups.
Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))

Is this normal behavior or my ldap configuration can be incorrect?





 Here the three standard definitions with objectclass=posixgroup

 ###
 A primary group: posix and windows primary
 members should NOT stored here

 dn: cn=teachers,ou=groups,dc=europa,dc=xx
 cn: teachers
 objectClass: top
 objectClass: posixGroup
 objectClass: sambaGroupMapping
 gidNumber: 1001
 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
 sambaGroupType: 2
 displayName: teachers

 # getent group teachers
 teachers:*:1001:

 # net  rpc group members teachers
 # nothing



 ###
 A regular group in posix, a global group in windows
 members are stored in memberUid

 dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
 objectClass: top
 objectClass: posixGroup
 objectClass: sambaGroupMapping
 gidNumber: 512
 cn: DomainAdmins
 memberUid: Administrator
 memberUid: root
 description: Netbios Domain Administrators
 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
 sambaGroupType: 2
 displayName: Domain Admins

 # getent group domainadmins
 DomainAdmins:*:512:Administrator,root


 # Asking for the Windows name, which is stored in displayName
 # net rpc group members domain admins
 EUROPA\Administrator
 EUROPA\root

 # Asking for the posix name, which is stored in cn
 # net rpc group members domainadmins
 EUROPA\Administrator
 EUROPA\root


 ###
 A windows/samba builtin group
 no posix members
 Windows members must be stored in sambaSIDList. These type of groups
 will be used in Windows OS (client and/or server)

 # ldapsearch -LLLY external -H ldapi:///
 ((objectclass=sambaGroupMapping)(cn=administrators))  2/dev/null
 dn: cn=Administrators,ou=groups,dc=europa,dc=xx
 objectClass: top
 objectClass: posixGroup
 objectClass: sambaGroupMapping
 gidNumber: 544
 cn: Administrators
 description: Netbios Domain Members can fully administer the computer
 sambaSID: S-1-5-32-544
 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
 sambaGroupType: 4
 displayName: Administrators


 # getent group administrators
 Administrators:*:544:

 # net rpc group members administrators
 EUROPA\Domain Admins

 ###
 --

 Gruss
 Harry Jede
 --
 To unsubscribe from this list go to the following URL and read the
 

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Hi Simo,
 Hi this is my listing:
 
 net -U administrator rpc group members Administrators
 Enter administrator's password:
 Couldn't list alias members
Your samba server WILL not list the members of this global group, mostly 
a security issue.

 ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4)
 (sambaSID=S-1-5-32*))'
 
 ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4)
 (sambaSID=*))'
 dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
 objectClass: sambaSidEntry
 objectClass: sambaGroupMapping
 sambaSID: S-1-5-32-545
 sambaGroupType: 4
 displayName: Users
 gidNumber: 1
 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.

 Do you know what does this mean?
The reason is often wrong configured smbldap-tools. Check the 
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.

   net getdomainsid
   SID for local machine HOST is:
   S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE
   is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor 
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955

and restart samba.



 Thanks.

-- 

regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Hi Simo,
please post to the list !!!

 On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede walk2...@arcor.de wrote:
  Hi Simo,
  
   Hi this is my listing:
   
   net -U administrator rpc group members Administrators
   Enter administrator's password:
   Couldn't list alias members
  
  Your samba server WILL not list the members of this global group,
  mostly a security issue.
 
 User administrator has all rights, so I dont think it is a security
 issue. Or do you know some checks that I could try?
 
   ldapsearch -xLLL
   '((objectclass=sambaGroupMapping)(sambaGroupType=4)
   (sambaSID=S-1-5-32*))'
   
   ldapsearch -xLLL
   '((objectclass=sambaGroupMapping)(sambaGroupType=4)
   (sambaSID=*))'
   dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
   objectClass: sambaSidEntry
   objectClass: sambaGroupMapping
   sambaSID: S-1-5-32-545
   sambaGroupType: 4
   displayName: Users
   gidNumber: 1
   sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
  
  Your LDAP client WILL list the group members.
  
   Do you know what does this mean?
  
  The reason is often wrong configured smbldap-tools. Check the
  /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
 
  SID in smbldap.conf is:
 SID=S-1-5-21-2390795950-2727105968-4008069955
 
 So that is correct.
 
 net getdomainsid
 SID for local machine HOST is:
 S-1-5-21-2242576961-186067218-2214866780 SID for domain
 EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
  
  Your server and your domain have different SIDs, that may be is yor
  problem. Try:
  # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
  
  and restart samba.
 
 Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have ldap suffix before
 ldap group suffix.

ldap suffix  = dc=europa,dc=xx
ldap admin dn= cn=admin,dc=europa,dc=xx
ldap group suffix= ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx
data(12) = ThePassword\00
}



Try to bind with this password:
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w ThePassword 
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))  2/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))  dn



You should get one result.
 
   Thanks.
  
  --
  
  regards
  
  Harry Jede
  
  --
  To unsubscribe from this list go to the following URL and read the
  instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

net getdomainsid
SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

I compared my smb.conf with yours. I have ldap suffix before
 ldap group suffix.

I switched that but result still the same.

 ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null
dn: cn=admin,dc=example,dc=sk

tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )

ldapsearch -LLLY external -H ldapi:///
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))
2/dev/null
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 1
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

ldapsearch -xLLL
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))
dn
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk


I do not see anything bad, I do not have installed windbindd


On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede walk2...@arcor.de wrote:

 (displayname=users)(uid=users)))  dn

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Harry Jede]

On 20:15:56 wrote Andrej Šimko:
 net getdomainsid
 SID for local machine HOST is:
 S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
 S-1-5-21-2390795950-2727105968-4008069955
 
 I compared my smb.conf with yours. I have ldap suffix before
  ldap group suffix.
 
 I switched that but result still the same.
 
  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null
 dn: cn=admin,dc=example,dc=sk
 
 tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
 
 ldapsearch -LLLY external -H ldapi:///
 ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
 =users))) 2/dev/null
 dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
 objectClass: sambaSidEntry
 objectClass: sambaGroupMapping
 sambaSID: S-1-5-32-545
 sambaGroupType: 4
 displayName: Users
 gidNumber: 1
 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

Sorry, that I haven't seen this in your mail at 09:07

This is a working group object:

# ldapsearch -LLLY external -H ldapi:///  
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))  2/dev/null
dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users


The main difference ist the objectclass posixGroup instead of 
sambaSidEntry.
Samba Group Mapping is not a simple task. Your definition with 
objectclass=sambasidentry is not totally wrong, but the intended use is 
that you store your posixgroups in /etc/group or in NIS.
With an LDAP backend that is not the best approach.

Here the three standard definitions with objectclass=posixgroup

###
A primary group: posix and windows primary
members should NOT stored here

dn: cn=teachers,ou=groups,dc=europa,dc=xx
cn: teachers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
sambaGroupType: 2
displayName: teachers

# getent group teachers
teachers:*:1001:

# net  rpc group members teachers
# nothing



###
A regular group in posix, a global group in windows
members are stored in memberUid

dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: DomainAdmins
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 2
displayName: Domain Admins

# getent group domainadmins
DomainAdmins:*:512:Administrator,root


# Asking for the Windows name, which is stored in displayName
# net rpc group members domain admins
EUROPA\Administrator
EUROPA\root

# Asking for the posix name, which is stored in cn
# net rpc group members domainadmins
EUROPA\Administrator
EUROPA\root


###
A windows/samba builtin group
no posix members
Windows members must be stored in sambaSIDList. These type of groups 
will be used in Windows OS (client and/or server)

# ldapsearch -LLLY external -H ldapi:///  
((objectclass=sambaGroupMapping)(cn=administrators))  2/dev/null
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators


# getent group administrators
Administrators:*:544:

# net rpc group members administrators
EUROPA\Domain Admins

###
-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[L . P . H . van Belle]

Hai, 

The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my 
problems also. 

Louis


 

-Oorspronkelijk bericht-
Van: andrej.si...@gmail.com 
[mailto:samba-boun...@lists.samba.org] Namens Andrej Šimko
Verzonden: vrijdag 23 november 2012 9:11
Aan: samba@lists.samba.org
Onderwerp: [Samba] Samba PDC group list empty

Dear samba users,

I have very strange problem. I have Samba PDC up and running, but only
thing is missing. I cannot see any Domain Groups at all.
Here is my config:

Debian Squeeze:
ii  samba   2:3.5.6~dfsg-3squeeze8
SMB/CIFS file, print, and login server for Unix
ii  samba-common2:3.5.6~dfsg-3squeeze8 
  common
files used by both the Samba server and client
ii  samba-common-bin2:3.5.6~dfsg-3squeeze8 
  common
files used by both the Samba server and client
ii  samba-doc   2:3.5.6~dfsg-3squeeze8 
  Samba
documentation

/etc/samba/smb.conf
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = EXAMPLE
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
syslog = 0
time server = Yes
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
delete user script = /usr/sbin/smbldap-userdel %u -r %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=sk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=sk
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0700
browseable = No
path = /data/samba/homes

[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
read only = No
guest ok = Yes
locking = No
share modes = No

[profiles]
comment = Users profiles
path = /data/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
hide files = /desktop.ini/
browseable = No

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages 
installed, try:
# `info libc Name Service Switch' for information about this file.

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis

/etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
host 127.0.0.1
base dc=example,dc=sk
binddn cn=admin,dc=example,dc=sk
bindpw secret
bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd ou=Users,dc=example,dc=sk
nss_base_shadow ou=Users,dc=example,dc=sk
nss_base_group  ou=Groups,dc=example,dc=sk

net getdomainsid
SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

net groupmap list
Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain
Admins
Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) 
- Domain Users
Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain
Guests
Domain Computers 
(S-1-5-21-2390795950-2727105968-4008069955-515) - Domain
Computers
Administrators (S-1-5-32-544) - Administrators
Account Operators (S-1-5-32-548) - Account Operators
Print Operators (S-1-5-32-550) - Print Operators
Backup Operators (S-1-5-32-551) - Backup Operators
Replicators (S-1-5-32-552) - Replicators


The strange thing is, if I try on Win XP to search groups, i 
see in logs:
smbldap_search_paged: base = [dc=example,dc=sk], filter =
[((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S
-1-5-21-2390795950-2727105968-4008069955*))],scope
= [2], pagesize = [1024]
  smbldap_search_paged: base = [dc=example,dc=sk], filter =

Re: [Samba] Samba PDC group list empty

[Harry Jede]

On 18:32:29 wrote Andrej Šimko:
 Dear samba users,
 
 I have very strange problem. I have Samba PDC up and running, but
 only thing is missing. I cannot see any Domain Groups at all.

...

 net getdomainsid
 SID for local machine HOST is:
 S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is:
 S-1-5-21-2390795950-2727105968-4008069955
 
 net groupmap list
 Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -
 Domain Admins
 Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) -
 Domain Users Domain Guests
 (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests
 Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) -
 Domain Computers
 Administrators (S-1-5-32-544) - Administrators
 Account Operators (S-1-5-32-548) - Account Operators
 Print Operators (S-1-5-32-550) - Print Operators
 Backup Operators (S-1-5-32-551) - Backup Operators
 Replicators (S-1-5-32-552) - Replicators
 
 
 The strange thing is, if I try on Win XP to search groups, i see in
 logs: smbldap_search_paged: base = [dc=example,dc=sk], filter =
 [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2
 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize =
 [1024]
   smbldap_search_paged: base = [dc=example,dc=sk], filter =
 [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2
 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize =
 [1024]
   smbldap_search_paged: base = [dc=example,dc=sk], filter =
 [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3
# net help rpc group 
Usage:
net rpc group
Alias for net rpc group list global local builtin
net rpc group add
Create specified group
net rpc group delete
Delete specified group
net rpc group addmem
Add member to group
net rpc group delmem
Remove member from group
net rpc group list
List groups
net rpc group members
List group members
net rpc group rename
Rename group

# net -U root rpc group members Administrators
EUROPA\Domain Admins


view this output:

# ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=S-1-5-32*))'
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
memberUid: Administrator
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators

dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users

dn: cn=guests,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: guests
memberUid: nobody
description: Netbios Domain Guests
sambaSID: S-1-5-32-546
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514
sambaGroupType: 4
displayName: Guests

dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: AccountOperators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: PrintOperators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: BackupOperators
description: Netbios Domain Members can bypass file security to back up 
files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a 
sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators


 If I try to search in ldap with that filter, I always get zero
 matches.
 
 I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g
 list is empty. If I try getent passwd and getent group I see all my
 users and groups.
 Can somebody help me with this?
 
 Thank you!


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba