[Samba] Access and group issues on domain member server (PDC is Samba as well)
Hi List, I created a domain member server in my samba domain. I start to realize that there are some issues when colleagues could not access some folders in the their shares. After searching for a solution I found that on that member server I have no samba groups available. First of all my setup: Domain controller: CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64) Domain member: exact same OS and versions as on domain controller also with LDAP backend I followed the instructions from http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the member server. (BTW: If anyone on this list has access to this guide: Paragraph 8: the wbinfo --set-auth-user= has been replaced with net setauthuser) Both servers access the same LDAP directory for the linux accounts and for Samba incl. IDMAPs Everything in this guide worked as described. getent passwd and getent groups works successfully on both servers (shows all entries from LDAP) net rpc group list shows all groups correctly on the PDC net groupmap list shows all group mappings correctly on the PDC On the member server though: net rpc group list only gives me Administrators and Users net groupmap list only gives me: Administrators (S-1-5-32-544) - 16777216 Users (S-1-5-32-545) - 16777217 I also tried to run winbind on the domain member, domain member+PDC and whithout winbind at all (We only have this one domain, do I even need winbind then? As I understood it would only be needed if I have multiple domains running. Is this correct?) But these commands always show me the same output on the member server. Should this commands even produce more output on domain members? Or is it just for PDCs? smb.confs from both servers are added at the end. Thanks in advance! best regards, philipp PS: some additional info to our folder sharing system: All users only connect to their home-share. Inside this share we add symbolic links to the allowed group shares of the user. This group share folders are owned by root, group is one of the (allowed) Usergroups. Directory mask is 770, group-sticky bit is set. smb.conf from PDC: [root@srvad1 samba]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] WARNING: The share modes option is deprecated Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = ATV server string = SRVAD1 interfaces = 192.168.249.0/24, 127.0.0.1/8 passdb backend = ldapsam:ldap://192.168.249.7/ log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 time server = Yes unix extensions = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = login.bat logon path = logon drive = U: logon home = \\SRVFILE1\%U domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=at-visions,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups,o=default ldap machine suffix = ou=Computers,ou=Samba,ou=System ldap passwd sync = yes ldap suffix = dc=at-visions,dc=com ldap ssl = no ldap user suffix = ou=Users,o=default idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw case sensitive = No veto files = /.*/ hide files = /.*/ locking = No wide links = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [netlogon] path = /home/samba/netlogon share modes = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers write list = @adm, root guest ok = Yes smb.conf from domain member: [root@srvfile1 samba]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [homes] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] unix charset = LOCALE workgroup = ATV server string = SRVFILE1 interfaces = 192.168.249.0/24, 127.0.0.1/8 security = DOMAIN log level = 4 ads:10 auth:10
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
Hi there, try : id youruser.ldap on the memberserver, ex.: [root@tuepdc ~]# id tester uid=1010(tester) gid=513(Domain Users) Gruppen=513(Domain Users),2154(orbis),34709(Dienstplan),61092(HS3),47140(DIFAEM),17162(agfa),29 998(OpenHearts),26630(Personal),27525(pflege),19307(agaterm),46212(TerminalS erver User) Should id not work there is something wrong. Maybe your ldapclient is not working properly. Good luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Philipp Felix Hoefler Gesendet: Mittwoch, 1. August 2012 11:52 An: samba@lists.samba.org Betreff: [Samba] Access and group issues on domain member server (PDC is Samba as well) Hi List, I created a domain member server in my samba domain. I start to realize that there are some issues when colleagues could not access some folders in the their shares. After searching for a solution I found that on that member server I have no samba groups available. First of all my setup: Domain controller: CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64) Domain member: exact same OS and versions as on domain controller also with LDAP backend I followed the instructions from http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the member server. (BTW: If anyone on this list has access to this guide: Paragraph 8: the wbinfo --set-auth-user= has been replaced with net setauthuser) Both servers access the same LDAP directory for the linux accounts and for Samba incl. IDMAPs Everything in this guide worked as described. getent passwd and getent groups works successfully on both servers (shows all entries from LDAP) net rpc group list shows all groups correctly on the PDC net groupmap list shows all group mappings correctly on the PDC On the member server though: net rpc group list only gives me Administrators and Users net groupmap list only gives me: Administrators (S-1-5-32-544) - 16777216 Users (S-1-5-32-545) - 16777217 I also tried to run winbind on the domain member, domain member+PDC and whithout winbind at all (We only have this one domain, do I even need winbind then? As I understood it would only be needed if I have multiple domains running. Is this correct?) But these commands always show me the same output on the member server. Should this commands even produce more output on domain members? Or is it just for PDCs? smb.confs from both servers are added at the end. Thanks in advance! best regards, philipp PS: some additional info to our folder sharing system: All users only connect to their home-share. Inside this share we add symbolic links to the allowed group shares of the user. This group share folders are owned by root, group is one of the (allowed) Usergroups. Directory mask is 770, group-sticky bit is set. smb.conf from PDC: [root@srvad1 samba]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] WARNING: The share modes option is deprecated Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = ATV server string = SRVAD1 interfaces = 192.168.249.0/24, 127.0.0.1/8 passdb backend = ldapsam:ldap://192.168.249.7/ log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 time server = Yes unix extensions = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = login.bat logon path = logon drive = U: logon home = \\SRVFILE1\%U domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=at-visions,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups,o=default ldap machine suffix = ou=Computers,ou=Samba,ou=System ldap passwd sync = yes ldap suffix = dc=at-visions,dc=com ldap ssl = no ldap user suffix = ou=Users,o=default idmap uid =
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
Hi Daniel, thank you for you response. [root@srvfile1 home]# id phoefler uid=1663(phoefler) gid=1105(VISIONS) groups=1105(VISIONS),512(Domain Admins),513(Domain Users),1103(IT),1069(Marketing),1079(TimeSheetReports) This is working correctly. Also all other linux - LDAP stuff is working without any problems. Only Samba seems to be unhappy :( best regards, philipp On 8/1/12 1:22 PM, Daniel Müller wrote: try : id youruser.ldap on the memberserver, ex.: [root@tuepdc ~]# id tester uid=1010(tester) gid=513(Domain Users) Gruppen=513(Domain Users),2154(orbis),34709(Dienstplan),61092(HS3),47140(DIFAEM),17162(agfa),29 998(OpenHearts),26630(Personal),27525(pflege),19307(agaterm),46212(TerminalS erver User) Should id not work there is something wrong. Maybe your ldapclient is not working properly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
Did you miss this in your members smb.conf: passdb backend = ldapsam:ldap://192.168.249.7/ So your ldapclient is working but Samba does not now where to auth? Your config on memberserver: Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] unix charset = LOCALE workgroup = ATV server string = SRVFILE1 interfaces = 192.168.249.0/24, 127.0.0.1/8 security = DOMAIN log level = 4 ads:10 auth:10 sam:10 syslog = 0 log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 name resolve order = wins bcast hosts unix extensions = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 65 wins server = 192.168.249.1 ldap admin dn = cn=Manager,dc=at-visions,dc=com ldap group suffix = ou=Groups,o=default ldap idmap suffix = ou=Idmap,ou=Samba,ou=System ldap machine suffix = ou=Computers,ou=Samba,ou=System ldap suffix = dc=at-visions,dc=com ldap ssl = no ldap user suffix = ou=Users,o=default case sensitive = No veto files = /.*/ hide files = /.*/ locking = No wide links = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd A hint, to make your samba a full featured wins-server( even in replication with w2008) there is samba4wins: http://ftp.sernet.de/pub/samba4WINS/ --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Philipp Felix Hoefler [mailto:p...@at-visions.com] Gesendet: Mittwoch, 1. August 2012 13:30 An: muel...@tropenklinik.de Cc: samba@lists.samba.org Betreff: Re: AW: [Samba] Access and group issues on domain member server (PDC is Samba as well) Hi Daniel, thank you for you response. [root@srvfile1 home]# id phoefler uid=1663(phoefler) gid=1105(VISIONS) groups=1105(VISIONS),512(Domain Admins),513(Domain Users),1103(IT),1069(Marketing),1079(TimeSheetReports) This is working correctly. Also all other linux - LDAP stuff is working without any problems. Only Samba seems to be unhappy :( best regards, philipp On 8/1/12 1:22 PM, Daniel Müller wrote: try : id youruser.ldap on the memberserver, ex.: [root@tuepdc ~]# id tester uid=1010(tester) gid=513(Domain Users) Gruppen=513(Domain Users),2154(orbis),34709(Dienstplan),61092(HS3),47140(DIFAEM),17162(ag fa),29 998(OpenHearts),26630(Personal),27525(pflege),19307(agaterm),46212(Ter minalS erver User) Should id not work there is something wrong. Maybe your ldapclient is not working properly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
I think there are two components- 1st I think the domain member does need to run winbind to retrieve windows users and groups from the DC. 2nd, the domain member needs to have idmap configured correctly to make sure that the windows users are properly mapped to the local unix users, so that the unix/windows mappings are the same as on the DC.. (the fact that the local unix users are actually ldap accounts is not known to the samba sevrer.) In theory the idmap_nss backend should help keep idmap entries consistent across Samba servers with a common LDAP backend. The idmap_nss man page shows some examples.If you use idmap_nss on both DC and server it should be consistent. The other option is to use ldap for the idmap backend. See man idmap_ldap.Your PDC should create idmap entries. I found I had to then edit the entries to correct the uid or gid values to match the ldap user values. I then tried configuring the member servers to use the same ldap idmap backend, but read-only.It didn't really work and this was before the idmap_nss option was available.In the end I found it easier to convert some of my member servers to BDC's. On 08/01/12 05:51, Philipp Felix Hoefler wrote: Hi List, I created a domain member server in my samba domain. I start to realize that there are some issues when colleagues could not access some folders in the their shares. After searching for a solution I found that on that member server I have no samba groups available. First of all my setup: Domain controller: CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64) Domain member: exact same OS and versions as on domain controller also with LDAP backend I followed the instructions from http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the member server. (BTW: If anyone on this list has access to this guide: Paragraph 8: the wbinfo --set-auth-user= has been replaced with net setauthuser) Both servers access the same LDAP directory for the linux accounts and for Samba incl. IDMAPs Everything in this guide worked as described. getent passwd and getent groups works successfully on both servers (shows all entries from LDAP) net rpc group list shows all groups correctly on the PDC net groupmap list shows all group mappings correctly on the PDC On the member server though: net rpc group list only gives me Administrators and Users net groupmap list only gives me: Administrators (S-1-5-32-544) - 16777216 Users (S-1-5-32-545) - 16777217 I also tried to run winbind on the domain member, domain member+PDC and whithout winbind at all (We only have this one domain, do I even need winbind then? As I understood it would only be needed if I have multiple domains running. Is this correct?) But these commands always show me the same output on the member server. Should this commands even produce more output on domain members? Or is it just for PDCs? smb.confs from both servers are added at the end. Thanks in advance! best regards, philipp PS: some additional info to our folder sharing system: All users only connect to their home-share. Inside this share we add symbolic links to the allowed group shares of the user. This group share folders are owned by root, group is one of the (allowed) Usergroups. Directory mask is 770, group-sticky bit is set. smb.conf from PDC: [root@srvad1 samba]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] WARNING: The share modes option is deprecated Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = ATV server string = SRVAD1 interfaces = 192.168.249.0/24, 127.0.0.1/8 passdb backend = ldapsam:ldap://192.168.249.7/ log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 time server = Yes unix extensions = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = login.bat logon path = logon drive = U: logon home = \\SRVFILE1\%U domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=at-visions,dc=com ldap delete dn
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
Hi Daniel! Oh my god, how embarrassing ;-) This was it! Resolved all problems. Vielen Dank! Liebe Grüsse nach Tübingen, philipp On 8/1/12 1:42 PM, Daniel Müller wrote: Did you miss this in your members smb.conf: passdb backend = ldapsam:ldap://192.168.249.7/ So your ldapclient is working but Samba does not now where to auth? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
