[Samba] Samba PDC, LDAP and permissions
Julian Pilfold-Bagwell
jools at oss4all.plus.com
Thu Dec 8 18:23:37 GMT 2005
Hi all,
I have a Samba PDC running on OpenSuSe 10 with LDAP as the backend and am
running Mandriva 2006 as a member server with a few shares for users.
The PDC seems OK and I've added the member using the instructions in the Samba
example documents and I'm at the following point:
OpenLDAP is running on the PDC itself. I can login to Linux as any LDAP user
account suggesting that NSS Ldap is functioning correctly. Running getent
passwd and getent group on the PDC provide a user and group list confirming
I can set user and group ownership on any file or folder to a valid LDAP
SambaSAM account and set permissions accordingly and these persmissions have
the appropriate effect on user's access.
The PDC's name is SMB1, the Domain is BGS. If I run net getlocalsid and net
getlocasid BGS on the PDC I receive the same SID in the both cases.
Smbldap-tools from Idealx.org works fine and I can add, modify and delete
user's accounts from the command line without problems. The whole LDAP setup
is from the idealx.org example
Onto the member server (SMB2)...
I've only got one domain so I'm not using Winbind relying instead on the LDAP
database on the PDC. The server will authenticate UNIX users and getent
returns complete user and group lists.
Smb.conf uses ldapsam as the idmap backend and the second server successfully
works as a BDC taking logins from clients on the network.
There are three users listed as Domain Admins. If any of these users logs into
a client and selects a folder or file from a shared directory on the BDC and
opens the permissions tab in properties the permission on a folder shows as
SMB2\Domain Admins instead of BGS\Domain Admins. If you printscreen the
window as the client resolves the SID's however, the SID/RID of the
SMB1/Domain Admins group is the same as the SID from the PDC (BGS/Domain
Admins). If a domain admin tries to set permission on a folder, it accepts
the changes but they vanish from the check boxes after it's been OK'd. The
modified permissions do appear in the advanced tab though.
Is there a reason for the difference in Domain names? Does it matter if the
SIDs are the same? Have I missed out an important setlocalsid command?
Help please, I'm getting stressed ;)
Cheers,
Jools
More information about the samba
mailing list