[Samba] Groumap problem [was Strange PDC issue]

Mailing List SVR lists at svrinformatica.it
Mon Jun 2 14:26:16 GMT 2008 

Il giorno dom, 01/06/2008 alle 21.52 +0200, Mailing List SVR ha scritto:
> Il giorno dom, 01/06/2008 alle 21.14 +0200, Mailing List SVR ha scritto:
> > Il giorno sab, 31/05/2008 alle 21.01 +0200, Mailing List SVR ha scritto:
> > > Hi all,
> > > 
> > > I have a really strange PDC issue: 
> > > 
> > > windows clients are able to join and to login, however some clients have
> > > permissions issue on their local machine, for example they cannot modify
> > > settings suck as menubar, folder view, set quick start shortcuts ecc...
> > > so they cannot use the pc. However if they create a desktop file or
> > > folder on logoff their profiles are correctly updated.
> > > 
> > > On the same machine some users can do these things and some other
> > > cannot. The users are all local machine administrators.
> > > 
> > > Google seems doesn't help. Someone with this really strange issue?
> > > 
> > > my system is centos 5.1 (all updates applied) with default samba
> > > (3.0.25) 
> > > 
> > > in my logs nothing seems interesting
> > > 
> > > here is my configuration:
> > > 
> > > [global]
> > > unix charset = ISO-8859-15
> > > display charset = ISO-8859-15
> > > workgroup = PDC
> > > server string = Server di dominio 
> > > interfaces = lo, eth0
> > > bind interfaces only = Yes
> > > obey pam restrictions = Yes
> > > passdb backend = tdbsam
> > > pam password change = Yes
> > > passwd program = /usr/bin/passwd %u
> > > passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n
> > > *Password*changed*
> > > username map = /etc/samba/smbusers
> > > unix password sync = Yes
> > > log level = 1
> > > syslog = 0
> > > log file = /var/log/samba/%m.log
> > > max log size = 100
> > > name resolve order = wins bcast hosts
> > > time server = Yes
> > > printcap name = CUPS
> > > show add printer wizard = No
> > > add user script = /usr/sbin/useradd "%u" -n -g users
> > > delete user script = /usr/sbin/userdel "%u"
> > > add group script = /usr/sbin/groupadd "%g"
> > > delete group script = /usr/sbin/groupdel "%g"
> > > add user to group script = /usr/sbin/usermod -G '%g' '%u'
> > > delete user from group script = /usr/sbin/userdel "%u" "%g"
> > > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> > > -d /nohome -s /bin/false "%u"
> > > abort shutdown script = /sbin/shutdown -c
> > > logon script = scripts\logon.bat
> > > logon path = \\%L\profiles\%U
> > > logon drive = H:
> > > logon home = \\%L\%U
> > > domain logons = Yes
> > > os level = 255
> > > preferred master = Yes
> > > domain master = Yes
> > > dns proxy = No
> > > wins support = Yes
> > > invalid users = bin, deamon, sys, man, postfix, mail, ftp
> > > admin users = root
> > > hosts allow = 127., 192.168.2.
> > > map acl inherit = Yes
> > > printing = cups
> > > cups options = raw
> > > print command = 
> > > lpq command = %p
> > > lprm command = 
> > > hide unreadable = Yes
> > > veto files = /*.eml/*.nws/*.{*}/
> > > veto oplock files = /*.doc/*.xls/*.mdb/
> > > 
> > > [homes]
> > > comment = Home Directories
> > > valid users = %S
> > > read only = No
> > > browseable = No
> > > 
> > > [printers]
> > > comment = All Printers
> > > path = /var/spool/samba
> > > guest ok = Yes
> > > printable = Yes
> > > use client driver = Yes
> > > browseable = No
> > > 
> > > [netlogon]
> > > comment = Network Logon Service
> > > path = /home/samba/netlogon
> > > guest ok = Yes
> > > locking = No
> > > share modes = No
> > > 
> > > [Profiles]
> > > comment = Roaming Profile Share
> > > path = /home/samba/profiles
> > > read only = No
> > > profile acls = Yes
> > > case sensitive = No
> > > preserve case = No
> > > short preserve case = No
> > > hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> > > browseable = No
> > > csc policy = disable
> > > 
> > > 
> > > thanks
> > > Nicola
> > > 
> > 
> > I just updated to 3.0.28 (srpm from rhel 5 update 2) but still the same
> > issue.
> > 
> > net groupmap list
> > 
> > give this result:
> > 
> > Domain Users (S-1-5-21-487449451-2765197844-2627020230-1002) -> users
> > Produzione (S-1-5-21-487449451-2765197844-2627020230-1004) -> produzione
> > Vss (S-1-5-21-487449451-2765197844-2627020230-1006) -> vss
> > Domain Admins (S-1-5-21-487449451-2765197844-2627020230-1001) -> root
> > Domain Guests (S-1-5-21-487449451-2765197844-2627020230-1003) -> nobody
> > Amministrazione (S-1-5-21-487449451-2765197844-2627020230-1005) ->
> > amministrazione
> > 
> > If I remember the last part of "Domain User" was 513 and not 1002, can
> > this create issues?
> > 
> > thanks
> > Nicola
> > 
> 
> I remapped windows group and unix group 
> 
> net groupmap add rid=512 ntgroup="Domain Admins"  unixgroup=root type=d
> net groupmap add rid=513 ntgroup="Domain Users"   unixgroup=users type=d
> net groupmap add rid=514 ntgroup="Domain Guests"  unixgroup=nobody
> type=d
> net groupmap add rid=547 ntgroup="Power Users"    unixgroup=wheel type=d
> 
> 
> now:
> 
> net groupmap list
> Produzione (S-1-5-21-487449451-2765197844-2627020230-1020) -> produzione
> Vss (S-1-5-21-487449451-2765197844-2627020230-1022) -> vss
> Power Users (S-1-5-21-487449451-2765197844-2627020230-547) -> wheel
> Amministrazione (S-1-5-21-487449451-2765197844-2627020230-1021) ->
> amministrazione
> Domain Users (S-1-5-21-487449451-2765197844-2627020230-513) -> users
> Domain Admins (S-1-5-21-487449451-2765197844-2627020230-512) -> root
> Domain Guests (S-1-5-21-487449451-2765197844-2627020230-514) -> nobody
> 
> if I add an user to the root group all is fine, however "Domain Users"
> have the problems described above
> 
> 
> regards,
> Nicola
> 
After group remapping new accounts works fine, the problem are the old
ones, even if I delete and then recreate an old account it doesn't work
as expectd, maybe something related to the account name remain on
windows or linux side,

any suggestions?

regards
Nicola

More information about the samba mailing list