Re: [Samba] Samba PDC group list empty
I give all of your indexes in my conf but nothing changed: ls -l *bdb -rw--- 1 openldap openldap 61440 Dec 3 14:22 cn.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 dc.bdb -rw--- 1 openldap openldap 28672 Dec 3 14:22 displayName.bdb -rw--- 1 openldap openldap 40960 Dec 3 12:29 dn2id.bdb -rw--- 1 openldap openldap 8192 Nov 22 10:42 entryCSN.bdb -rw--- 1 openldap openldap 8192 Nov 22 10:42 entryUUID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 gidNumber.bdb -rw--- 1 openldap openldap 36864 Dec 3 14:22 givenName.bdb -rw--- 1 openldap openldap 294912 Dec 3 13:10 id2entry.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 loginShell.bdb -rw--- 1 openldap openldap 45056 Dec 3 14:22 mail.bdb -rw--- 1 openldap openldap 69632 Dec 3 14:22 memberUid.bdb -rw--- 1 openldap openldap 36864 Dec 3 14:22 objectClass.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 ou.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaSID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaSIDList.bdb -rw--- 1 openldap openldap 40960 Dec 3 14:22 sn.bdb -rw--- 1 openldap openldap 45056 Dec 3 14:22 uid.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 uidNumber.bdb -rw--- 1 openldap openldap 8192 Nov 20 17:03 uniqueMember.bdb Any other suggestion? On Fri, Nov 30, 2012 at 6:16 PM, Harry Jede walk2...@arcor.de wrote: Am Donnerstag, 29. November 2012 schrieben Sie: I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5- 21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? That's not normal. What indexes have you set? # ldapsearch -LLLY external -H ldapi:/// -b cn=config (objectclass=*) olcDBIndex This are my indexes: dn: olcDatabase={1}hdb,cn=config olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: displayName eq,sub olcDbIndex: givenName eq,sub olcDbIndex: mail eq,sub olcDbIndex: dhcpHWAddress eq olcDbIndex: dhcpClassData eq olcDbIndex: cn eq,pres,sub olcDbIndex: sn eq,pres,sub olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: default sub And this shows the files: # cd /var/lib/ldap/ # ls -l *bdb -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 dc.bdb -rw--- 1 openldap openldap 8192 18. Nov 15:49 dhcpHWAddress.bdb -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 gidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 givenName.bdb -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 loginShell.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 mail.bdb -rw--- 1 openldap openldap 8192 1. Jun 2012 memberUid.bdb -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb -rw--- 1 openldap openldap 8192 1. Jun 19:57 ou.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 10. Mai 2012 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 sambaSID.bdb -rw--- 1 openldap openldap 8192 27. Nov 22:54 sambaSIDList.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 sn.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uid.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 uniqueMember.bdb root@capella:/var/lib/ldap# -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Samba PDC group list empty
Am Donnerstag, 29. November 2012 schrieben Sie: I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5- 21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? That's not normal. What indexes have you set? # ldapsearch -LLLY external -H ldapi:/// -b cn=config (objectclass=*) olcDBIndex This are my indexes: dn: olcDatabase={1}hdb,cn=config olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: displayName eq,sub olcDbIndex: givenName eq,sub olcDbIndex: mail eq,sub olcDbIndex: dhcpHWAddress eq olcDbIndex: dhcpClassData eq olcDbIndex: cn eq,pres,sub olcDbIndex: sn eq,pres,sub olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: default sub And this shows the files: # cd /var/lib/ldap/ # ls -l *bdb -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 dc.bdb -rw--- 1 openldap openldap 8192 18. Nov 15:49 dhcpHWAddress.bdb -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 gidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 givenName.bdb -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 loginShell.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 mail.bdb -rw--- 1 openldap openldap 8192 1. Jun 2012 memberUid.bdb -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb -rw--- 1 openldap openldap 8192 1. Jun 19:57 ou.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 10. Mai 2012 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 sambaSID.bdb -rw--- 1 openldap openldap 8192 27. Nov 22:54 sambaSIDList.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 sn.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uid.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 uniqueMember.bdb root@capella:/var/lib/ldap# -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hello again, I do not know what On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede walk2...@arcor.de wrote: On 20:15:56 wrote Andrej Šimko: net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid =users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Sorry, that I haven't seen this in your mail at 09:07 This is a working group object: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users The main difference ist the objectclass posixGroup instead of sambaSidEntry. Samba Group Mapping is not a simple task. Your definition with objectclass=sambasidentry is not totally wrong, but the intended use is that you store your posixgroups in /etc/group or in NIS. With an LDAP backend that is not the best approach. I dont understand what are you trying to say :( Do you think that if I have all necessary groups in /etc/group or in NIS, than the windows computer will find grups in domain? I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? Here the three standard definitions with objectclass=posixgroup ### A primary group: posix and windows primary members should NOT stored here dn: cn=teachers,ou=groups,dc=europa,dc=xx cn: teachers objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 sambaGroupType: 2 displayName: teachers # getent group teachers teachers:*:1001: # net rpc group members teachers # nothing ### A regular group in posix, a global group in windows members are stored in memberUid dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: DomainAdmins memberUid: Administrator memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 2 displayName: Domain Admins # getent group domainadmins DomainAdmins:*:512:Administrator,root # Asking for the Windows name, which is stored in displayName # net rpc group members domain admins EUROPA\Administrator EUROPA\root # Asking for the posix name, which is stored in cn # net rpc group members domainadmins EUROPA\Administrator EUROPA\root ### A windows/samba builtin group no posix members Windows members must be stored in sambaSIDList. These type of groups will be used in Windows OS (client and/or server) # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(cn=administrators)) 2/dev/null dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators # getent group administrators Administrators:*:544: # net rpc group members administrators EUROPA\Domain Admins ### -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the
Re: [Samba] Samba PDC group list empty
Hi Simo, Hi this is my listing: net -U administrator rpc group members Administrators Enter administrator's password: Couldn't list alias members Your samba server WILL not list the members of this global group, mostly a security issue. ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=*))' dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Your LDAP client WILL list the group members. Do you know what does this mean? The reason is often wrong configured smbldap-tools. Check the /etc/smbldap-tools/smbldap.conf file for the wrong SID entry. net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 Your server and your domain have different SIDs, that may be is yor problem. Try: # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955 and restart samba. Thanks. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hi Simo, please post to the list !!! On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede walk2...@arcor.de wrote: Hi Simo, Hi this is my listing: net -U administrator rpc group members Administrators Enter administrator's password: Couldn't list alias members Your samba server WILL not list the members of this global group, mostly a security issue. User administrator has all rights, so I dont think it is a security issue. Or do you know some checks that I could try? ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=*))' dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Your LDAP client WILL list the group members. Do you know what does this mean? The reason is often wrong configured smbldap-tools. Check the /etc/smbldap-tools/smbldap.conf file for the wrong SID entry. SID in smbldap.conf is: SID=S-1-5-21-2390795950-2727105968-4008069955 So that is correct. net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 Your server and your domain have different SIDs, that may be is yor problem. Try: # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955 and restart samba. Tried that, nothing changed. Post: net getdomainsid Do the following steps (enclosed with ###) in order ### I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. ldap suffix = dc=europa,dc=xx ldap admin dn= cn=admin,dc=europa,dc=xx ldap group suffix= ou=groups ldap user suffix = ou=people,ou=accounts ldap machine suffix = ou=machines,ou=accounts and I have NOT installed winbindd! ### Check if you have the groups defined in LDAP and in /etc/groups. The groups should only be in LDAP. ### check the admin account in ldap: # ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=europa,dc=xx Check that your ldap admin password is OK. # tdbdump /var/lib/samba/secrets.tdb look for: { key(45) = SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx data(12) = ThePassword\00 } Try to bind with this password: # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w ThePassword ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) Check if root get the same result: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null ### at last, search for duplicate names: # ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users) (displayname=users)(uid=users))) dn You should get one result. Thanks. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users))) dn dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk I do not see anything bad, I do not have installed windbindd On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede walk2...@arcor.de wrote: (displayname=users)(uid=users))) dn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
On 20:15:56 wrote Andrej Šimko: net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid =users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Sorry, that I haven't seen this in your mail at 09:07 This is a working group object: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users The main difference ist the objectclass posixGroup instead of sambaSidEntry. Samba Group Mapping is not a simple task. Your definition with objectclass=sambasidentry is not totally wrong, but the intended use is that you store your posixgroups in /etc/group or in NIS. With an LDAP backend that is not the best approach. Here the three standard definitions with objectclass=posixgroup ### A primary group: posix and windows primary members should NOT stored here dn: cn=teachers,ou=groups,dc=europa,dc=xx cn: teachers objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 sambaGroupType: 2 displayName: teachers # getent group teachers teachers:*:1001: # net rpc group members teachers # nothing ### A regular group in posix, a global group in windows members are stored in memberUid dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: DomainAdmins memberUid: Administrator memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 2 displayName: Domain Admins # getent group domainadmins DomainAdmins:*:512:Administrator,root # Asking for the Windows name, which is stored in displayName # net rpc group members domain admins EUROPA\Administrator EUROPA\root # Asking for the posix name, which is stored in cn # net rpc group members domainadmins EUROPA\Administrator EUROPA\root ### A windows/samba builtin group no posix members Windows members must be stored in sambaSIDList. These type of groups will be used in Windows OS (client and/or server) # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(cn=administrators)) 2/dev/null dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators # getent group administrators Administrators:*:544: # net rpc group members administrators EUROPA\Domain Admins ### -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hai, The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my problems also. Louis -Oorspronkelijk bericht- Van: andrej.si...@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Andrej Šimko Verzonden: vrijdag 23 november 2012 9:11 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba PDC group list empty Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. Here is my config: Debian Squeeze: ii samba 2:3.5.6~dfsg-3squeeze8 SMB/CIFS file, print, and login server for Unix ii samba-common2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-common-bin2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-doc 2:3.5.6~dfsg-3squeeze8 Samba documentation /etc/samba/smb.conf [global] dos charset = CP852 unix charset = UTF8 display charset = UTF8 workgroup = EXAMPLE server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* syslog = 0 time server = Yes log file = /var/log/samba/samba.log log level = 3 max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u delete user script = /usr/sbin/smbldap-userdel %u -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat domain logons = Yes os level = 10 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=example,dc=sk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=example,dc=sk ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0644 directory mask = 0700 browseable = No path = /data/samba/homes [netlogon] comment = Network Logon Service path = /data/samba/netlogon read only = No guest ok = Yes locking = No share modes = No [profiles] comment = Users profiles path = /data/samba/profiles read only = No create mask = 0600 directory mask = 0700 hide files = /desktop.ini/ browseable = No /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host 127.0.0.1 base dc=example,dc=sk binddn cn=admin,dc=example,dc=sk bindpw secret bind_policy soft pam_password exop timelimit 15 nss_base_passwd ou=Users,dc=example,dc=sk nss_base_shadow ou=Users,dc=example,dc=sk nss_base_group ou=Groups,dc=example,dc=sk net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S -1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter =
Re: [Samba] Samba PDC group list empty
On 18:32:29 wrote Andrej Šimko: Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. ... net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3 # net help rpc group Usage: net rpc group Alias for net rpc group list global local builtin net rpc group add Create specified group net rpc group delete Delete specified group net rpc group addmem Add member to group net rpc group delmem Remove member from group net rpc group list List groups net rpc group members List group members net rpc group rename Rename group # net -U root rpc group members Administrators EUROPA\Domain Admins view this output: # ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators memberUid: Administrator description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users dn: cn=guests,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 546 cn: guests memberUid: nobody description: Netbios Domain Guests sambaSID: S-1-5-32-546 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514 sambaGroupType: 4 displayName: Guests dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: AccountOperators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 4 displayName: Account Operators dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: PrintOperators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 4 displayName: Print Operators dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: BackupOperators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 4 displayName: Backup Operators dn: cn=Replicators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 4 displayName: Replicators If I try to search in ldap with that filter, I always get zero matches. I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is empty. If I try getent passwd and getent group I see all my users and groups. Can somebody help me with this? Thank you! -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba