[Samba] samba 3.4.3 DC breaks Windows groups

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Nov 24 09:31:39 MST 2009 

I assume an index is not an actual LDAP attribute or object like 
sambaSID but is more like a database index for optimizing searches?

I use Sun's Directory Server (LDAP server) as the backend.  I use Apache 
Directory Studio for managing objects and attributes with in ldap.    I 
should be able to use Sun's web-based console for creating the indexes.

Is there something I need to specify in smb.conf to tell Samba to use 
the index?



I also noticed that if I try to compile samba with Active Directory 
support, configure fails with

configure: error: Active Directory support requires ldap_initialize


Since sun has ldap client support included in the OS I do not have 
openldap installed.    I don't need Active Directory but it makes me 
suspect that there may be some other ldap compatibility issues when 
using Sun ldap client vs Openldap client.


Thanks





On 11/24/09 04:33, Jan Wenzel wrote:
> Hi, you have to create a 'sub' index for sambaSID in your LDAP
> configuration. The way samba searches for groups has been changed with
> samba 3.2 and above.
>
> I think you also need to install the new schema to be able to create a
> sub index.
>
> Greetings
> Jan
>
> Gaiseric Vandal schrieb:
>    
>> On the assumption that Unix systems (solaris and linux) will not like spaces
>> in names, I never created unix groups called "Domain Admins" and "Domain
>> Users" etc.  Instead I had  created "smb_domadmins" and "smb_domusers" etc
>> instead.
>>
>> I don't know if Windows systems actually pay attention to the name of the
>> group (e.g. "Domain Admins") or just the SID (e.g. S-1-5-21-****-512.)
>> We would have a similar issue with a group like "Human Resources" but not
>> with "Marketing."
>>
>>
>> On samba 3.0.x, setting "ldap group suffix" parameter is honored.  On Samba
>> 3.4.x it seems to be ignored-  instead samba seems to read the entire ldap
>> tree (or at least from the "ldap suffix" parameter down.)     "pbedit -Lv
>> Administrator" on samba 3.4 will then complain about duplicate entries
>>
>> BDC2# pdbedit -Lv Administrator
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> init_sam_from_ldap: Entry found for user: Administrator
>> ldapsam_getgroup: Duplicate entries for filter
>> (&(objectClass=sambaGroupMapping)
>> (gidNumber=512)): count=2
>>
>>
>>
>> Since in this case if have both of the following objects in ldap
>>
>> dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> objectClass: top
>> cn: Domain Admins
>> description: Domain Admins
>> displayName: Domain Admins
>> gidNumber: 512
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-******-512
>>
>> AND
>>
>> dn: cn=smb_domadmins,ou=group,o=mydomain.com
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> objectClass: groupOfUniqueNames
>> cn: domadmins
>> description: domadmins
>> displayName: domadmins
>> gidNumber: 512
>> memberUid: Administrator
>> .
>> sambaGroupType: 2
>> sambaSID:
>> ...
>>
>>
>> I also noticed the following
>>
>> Output from pdbedit on samba 3.4.x  includes
>>
>>      ldapsam_getgroup
>>
>> Output from pdbedit on samba 3.0.x includes
>>
>>     init_group_from_ldap
>>
>>
>>
>> I am not sure if that is somehow related.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
>> Sent: Monday, November 23, 2009 4:41 PM
>> To: samba at lists.samba.org
>> Subject: samba 3.4.3 DC breaks Windows groups
>>
>> I have the following setup:
>>
>>       PDC:  Samba 3.0.37 on Solaris 10
>>       BDC1: Samba 3.0.37 on Solaris 10
>>       BDC2: Samba 3.4.3 on Solaris 10
>>
>>
>> Samba 3.0.37 is the bundled version of Samba.
>> Samba 3.4.3 is compiled from source.
>>
>> BDC2 is a recent addition to the network.
>> All machine use LDAP as the backend for everything.  They use winbind to
>> handle a domain trust with another domain, but otherwise isn't needed.
>>
>> On BDC2,  users do not appear to be in any groups  beyond Domain Users.
>>
>>
>> Group mapping seems OK on each DC.
>>
>> BDC2# net groupmap list
>> Domain Admins (S-1-5-21-xxxxx-xxxxx-512) ->  smb_domadmins
>> Domain Users (S-1-5-21-xxxxx-xxxxx-513) ->  smb_domusers
>> Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) ->  smb_domguests
>> Domain Computers (S-1-5-21-xxxxx-xxxxx-515) ->  smb_machines
>> Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) ->  smb_dc
>> Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) ->  smb_domcertadmins
>> Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) ->  smb_admins
>> Builtin users (S-1-5-21-xxxxx-xxxxx-545) ->  smb_users
>> Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) ->  smb_guests
>> Administrators (S-xxxx-544) ->  xxxx
>> Users (S-xxxx-545) ->  xxxx
>> BDC2#
>>
>> The last two in the listing above were automatically created by
>> winbind/idmap for a trusted domain.
>> "sub index"
>>
>>
>> Unix level group memberships are OK
>>
>> BDC2# groups Administrator
>> smb_domadmins smb_domusers
>> BDC2#
>>
>> Windows/Samba level group memberships are not
>>
>> BDC2# net rpc user info Administrator -U Administrator -S PDC
>> Enter Administrator's password:
>> Domain Admins
>> Domain Users
>> BDC2#
>>
>>
>> BDC2# net rpc user info Administrator -U Administrator -S BDC2
>> Enter Administrator's password:
>> Domain Users
>> BDC2#
>>
>>
>> Same deal with regular users
>>
>>
>>
>> Nt.  Not all unix groups are mapped to Windows groups.  However I
>> believe all required "well known" windows groups are.
>>
>> Ldap structure includes
>>       ou=people
>>       ou=group
>>       ou=smb_groups (where samba stores group mappings, ldap
>> objectClass=sambaGroupMapping)
>>
>>
>>
>>
>>
>> You can verify machine PDC or BDC is being used by an Windows client
>> with the "echo %LOGONSERVER%" command.
>>
>>
>> If I logon as Domain Administrator to an  XP or Win 2003 machine that is
>> using BDC2, I will not have any Administrator privileges.
>>
>>
>> smb.conf includes
>>       ldap group suffix = ou=smb_groups
>>
>>
>> (When I converted from tdb to ldap backend,  I already had unix groups
>> in ldap and wasn't sure how stuff would import.     I don't think
>> existing groups or group mappings imported so I had to manually retype
>> the "net group map commands."  )
>>
>> The "Domain Admins" sambaGroupMapping does include Administrator as a
>> member.
>>
>>
>>
>> BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC
>> MYDOMAIN\Administrator
>> MYDOMAIN\jsmith
>>
>>
>> BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
>> Enter Administrator's password:
>> MYDOMAIN\Administrator
>> MYDOMAIN\jsmith
>>
>>
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>      
>

More information about the samba mailing list