[Samba] samba 3.4.3 DC breaks Windows groups

Mon Nov 30 15:57:07 MST 2009

I consolidated group entries as described in the previous post.

By mistake, I initially set same SID for the "Domain Users" and "Domain 
Guests."      So "net rpc user info someuser" would display the wrong 
output.  I fixed this but had to my Samba 3.0.x BDC to get the update to 
stick.  I also zapped all the *cache*.tdb files on that machine, which 
may have been a mistake.

Initially the Samba 3.0.x BDC would not start.  smb.conf had the "guest 
account = nobody" entry, which had worked in the past.  However, the 
error logs that "nobody" no longer existed. I had to create an 
ldap/samba "smb_nobody" user and group and update smb.conf for "guest 
account = smb_nobody."  At that point samba would start, however, I 
could not view or access either the samba server in network 
neighborhood, or access any shares via "net use..." or "smbclient ..."

For the moment, I have reverted to the earlier smb.conf and disabled 
samba 3.4.x.   My guess is that samba choked on loading groups that did 
not have a proper SID.  I have about 230 unix/ldap groups and didn't 
want to have to create an explicit group mapping (SID entry) for each group.

On 11/25/09 22:42, Gaiseric Vandal wrote:
> I think I have found the problem:
>
> Samba 3.0.x looks for group mappings in the "ldap group suffix" param.  On
> my systems this is "ldap group suffix = ou=smb_groups."   Regular unix
> groups are just in ou=groups.   Initially we had used NIS (then LDAP) for
> unix groups, and had used tdbsam for the samba account backend.  Group
> mappings were also in tdb.  When we moved to ldap backend, group mappings
> were imported into ou=smb_groups.
>
> Samba 3.4.x reads thru the entire ldap tree.    Since I have both
> "cn=Domain Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group"
> both with the same gidNumber, group membership processing fails.
>
> Therefore I think the solution will be to consolidate entries.  For
> example,
> 	Replace cn=smb_domadmins,ou=group" with "cn=Domain
> Administrators,ou=group"
>        Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to
> "cn=Domain Administrators,ou=group"
> 	Repeat for all the other mapped groups
> 	Update smb.conf on the 3.0.x servers to use "ldap group suffix =
> ou=group."
>
>
> This is assuming of course that Solaris doesn't have problems with group
> names with spaces.
>
>
>
>
> -----Original Message-----
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Wednesday, November 25, 2009 10:01 PM
> To: samba at lists.samba.org
> Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups
>
> I have done the following
>
>    - Added index for sambaSID and other attributes as per the following
>
>       http://wiki.samba.org/index.php/2.0:_Configuring_LDAP
>
>     - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
> Server) with the 3.2 version
>
>     -  installed samba 3.4.3 packages from sun freeware to replace those I
> compiled from from source.
>
>     - Reindexed with "dsconf reindex -h ldapserver  -t sambaSID
> o=mydomain.com"
>
> Unfortunately did not resolve the group membership problem  (i.e. a user
> account only appears to be in its primary group )
>
>
> Querying the Samba 3.4.x BDC
>
> # net rpc user info Administrator -U Administrator -S BDC2
> Enter Administrator's password:
> Domain Users
> #
>
>
> Querying the Samba 3.0.x PDC
>
> # net rpc user info Administrator -U Administrator -S PDC
> Enter Administrator's password:
> Domain Admins
> Domain Users
> #
>
>
> As far as I can tell from the comments at the top of each ldif file, the
> only change was the addition of sambaTrustedDomainPassword objectClasses.
>
>
>
>
> On 11/25/09 03:41, Jan Wenzel wrote:
>    
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Gaiseric Vandal schrieb:
>>
>>      
>>> I assume an index is not an actual LDAP attribute or object like
>>> sambaSID but is more like a database index for optimizing searches?
>>>
>>>        
>> You're right :) But in some cases like substring search (samba searches
>> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
>> get results. I don't know where to configure the indexes exactly in SDS,
>> but I'm sure it is possible.
>>
>>
>>
>>      
>>> I use Sun's Directory Server (LDAP server) as the backend.  I use
>>>        
> Apache
>    
>>> Directory Studio for managing objects and attributes with in ldap.    I
>>> should be able to use Sun's web-based console for creating the indexes.
>>>
>>> Is there something I need to specify in smb.conf to tell Samba to use
>>> the index?
>>>
>>>        
>> Samba does not know anything about the configuration details of the LDAP
>> server,
>> it only talks LDAP - so it should instantly show groups when the index
>> is present.
>>
>>
>>      
>>> I also noticed that if I try to compile samba with Active Directory
>>> support, configure fails with
>>>
>>> configure: error: Active Directory support requires ldap_initialize
>>>
>>>        
>> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
>> you have a linux system).
>>
>>
>>      
>>> Since sun has ldap client support included in the OS I do not have
>>> openldap installed.    I don't need Active Directory but it makes me
>>> suspect that there may be some other ldap compatibility issues when
>>> using Sun ldap client vs Openldap client.
>>>
>>>
>>> Thanks
>>>
>>>        
>> HTH
>> Jan
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
>> WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
>> =4Old
>> -----END PGP SIGNATURE-----
>>
>>      
>    