[Samba] LDAP backend not mapping permissions properly and other
problems
Data Control Systems - Mike Elkevizth
mike at dcsamerica.com
Thu Aug 26 13:50:54 GMT 2004
Sorry this is so long, but I think it is all relevant. I also have an output
from pdbedit with log level 10 if needed.
First, the latest problem I have noticed. When I create a new directory on
the server, samba creates the files properly and gives them the proper
permissions on the server, but when I look at the file security properties
(Right click,Properties, Security Tab) I don't get the files proper
information. The user and group are both in the LDAP directory with samba
SIDs, but I get two groups that are not even related to the file and don't
get the user and group that are assigned to the file. I have tried to run
winbindd, but it doesn't work at all, I got it to connect to the LDAP server
by changing my configuration, and it looks in the log like it starts fine,
but when I run wbinfo -u it gives me "error looking up users", wbinfo -g
gives me 3 BUILTN groups, and wbinfo -D gives me my domain info. Since my
domain is purely made of samba servers though, I'm not even sure if I should
be running winbindd. I am wondering if this has anything to do with the fact
that the new smbldap-tools scripts require a entry with an
objectClass=sambaUnixIdPool as does the Idmap entry. I had to change the
scripts from searching "(objectclass=sambaUnixIdPool)" to search for
"(cn=NextFreeUnixId)" in order to get the scripts to work, because they kept
giving me a "can't find next available uidNumber" error. An ldapsearch for
"(objectclass=sambaUnixIdPool)"
gives this:
> ldapsearch -x "(objectclass=sambaunixidpool)"
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=sambaunixidpool)
# requesting: ALL
#
# Idmap, ldap.dcs
dn: ou=Idmap,dc=ldap,dc=dcs
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: Idmap
uidNumber: 10000
gidNumber: 10000
# NextFreeUnixId, ldap.dcs
dn: cn=NextFreeUnixId,dc=ldap,dc=dcs
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
gidNumber: 1000
cn: NextFreeUnixId
sn: NextFreeUnixId
uidNumber: 1012
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
History,
I am trying (and have been for about six months) to build a small
distributed network (between 3 offices per VPN w/10 users 4 mobile) and I
can't figure it out. I purchased a "Samba 3 by Example" book and have
followed it and keep getting strange errors. I have 4 servers, one PDC and
one BDC at the main office and a BDC at each of the other offices (they
really aren't there yet because I'm trying to make it work first). All of
them are running Fedora Core 2 with samba 3.0.6. They each have a dhcp and
dns server on them which operate fine, and sync together properly where
needed. They all run OpenLDAP and that runs great on all of them, the PDC
runs the master and the BDCs are all slaves. Also, I get weird errors from
"User Manager for Domains". I can change passwords properly from the
Ctl-Alt-Delete Change Password method and it changes both the unix and the
samba passwords. If I try to change a users password other than the
administrator's (linux uid=0) in the "User Manager for Domains" it works
fine, if I try to do anything to adminstrator though, it gives me a "the
group name could not be found" error. Then if I go into the Domain Admins
group, it doesn't show the administrator as being a member, although he is
in the ldap directory, so I try to put the administrator in and it gives me
a "the user does not belong to this group" error. I also have noticed I
can't set the password must change at next logon for any user. I am using
smbldap-tools version 0.8.5 (the latest from their website).
Mike Elkevizth
smb.conf:
[global]
# Basic settings
workgroup = dcs
netbios name = dcs004
server string = Hartville PDC Server
security = user
show add printer wizard = no
# Network settings
time server = yes
wins support = yes
name resolve order = wins bcast hosts
smb ports = 139 445
hosts allow = 192.168.5. 192.168.6. 192.168.7. 127.
# Domain control options
os level = 99
local master = yes
preferred master = yes
domain master = yes
domain logons = yes
logon script = %U.bat
logon path = \\%L\profile
# Password change and create options for domain control
unix password sync = yes
passwd chat timeout = 10
ldap delete dn = yes
lanman auth = no
passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
encrypt passwords = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
add machine script = /usr/sbin/smbldap-useradd -w '%u'
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x
'%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
# LDAP settings
ldap timeout = 10
passdb backend = ldapsam:ldap://localhost
idmap backend = ldap:ldap://dcs004.dcs
ldap ssl = start_tls
ldap admin dn = cn=sambauser,ou=DSA,dc=ldap,dc=dcs
ldap suffix = dc=ldap,dc=dcs
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap replication sleep = 1000
idmap uid = 10000-20000
idmap gid = 10000-20000
# Log settings
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
syslog = 2
[profile]
path = /home/%U/.winprof
read only = no
browseable = no
profile acls = yes
create mask = 0771
directory mask = 2770
force directory mode = 2770
map system = yes
map hidden = yes
hide files = /RECYCLER/desktop.ini/
[My Documents]
path = /home/%U/Documents
read only = no
browseable = no
create mask = 0771
directory mask = 2770
force directory mode = 2770
map system = yes
map hidden = yes
hide files = /RECYCLER/desktop.ini/
[netlogon]
path = /home/netlogon
comment = Network Logon Service
guest ok = yes
locking = no
read only = yes
browseable = no
write list = administrator
create mask = 0775
directory mask = 2774
map system = yes
map hidden = yes
hide files = /RECYCLER/desktop.ini/
[DCS]
path = /common/dcs
comment = Common files for Data Control Systems
read only = no
create mask = 0770
directory mask = 2770
force directory mode = 2770
[QB]
path = /common/quickbooks
comment = Backup of Quickbooks company files
read only = no
oplocks = no
level2 oplocks = no
hide unreadable = yes
create mask = 0770
directory mask = 2770
force directory mode = 2770
[Software]
path = /common/software
comment = Backup of common program installation files
read only = yes
write list = administrator
[Users]
comment = Users' home directories
browseable = no
valid users = @"Domain Admins"
write list = @"Domain Admins"
path = /home
[Backup]
path = /common/backup
comment = Backups of deleted or changed files
valid users = administrator msp
browseable = no
[IPC$]
path = /tmp
More information about the samba
mailing list