[Samba] Can a user belong to two groups in Samba ???
Ganael LAPLANCHE
ganael.laplanche at edfgdf.fr
Mon Aug 11 09:54:32 GMT 2003
>> Hi,
>>
>> I'm using samba 3b3 (+ldapsam) and have created a user belonging to two
>> groups :
>>
>> - his primary group is mapped to the "Domain Users" Windows group,
>> - his secondary one is mapped to the "Domain Admins" Windows group.
> It should be fine. Can you send me a level 10 debug log showing the
> session setup portion where the user's groups are initialized?
# net groupmap list
Domain Users (S-1-5-21-1320293332-2887003436-4113625284-513) -> opususers
Domain Admins (S-1-5-21-1320293332-2887003436-4113625284-512) -> opusadmins
# getent group
...
opususers:x:1001:
opusadmins:x:1002:opususer
...
# getent passwd
...
opususer:x:1002:1001::/home/opususer:/bin/bash
...
# id opususer
uid=1002(opususer) gid=1001(opususers)
groups=1001(opususers),1002(opusadmins)
# Ldap entries
dn: uid=opususer,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
uid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-3004
sambaPrimaryGroupSID: S-1-5-21-1320293332-2887003436-4113625284-513
sambaPwdCanChange: 1060162576
sambaPwdMustChange: 1061976976
sambaLMPassword: B8AC092B6597E9E6944E2DF489A880E4
sambaNTPassword: 75892BB02A31553735DD03163476A3C8
sambaPwdLastSet: 1060162576
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
sambaHomeDrive: U:
sambaLogonScript: opususer.cmd
sambaProfilePath: \\OPUS_DC1\profiles\opususer
sambaHomePath: \\OPUS_DC1\opususer
dn: cn=opususers,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
cn: opususers
memberUid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-513
sambaGroupType: 2
displayName: Domain Users
dn: cn=opusadmins,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1002
cn: opusadmins
memberUid: opususer
sambaSID: S-1-5-21-1320293332-2887003436-4113625284-512
sambaGroupType: 2
displayName: Domain Admins
# Log extract (logon time)
[2003/08/11 07:07:21, 2] lib/smbldap.c:smbldap_search_suffix(1056)
smbldap_search_suffix: searching for:
[(&(uid=opususer)(objectclass=sambaSamAccount))]
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456)
Entry found for user: opususer
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_password_ok(218)
sam_password_ok: Checking NT MD4 password
[2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_account_ok(324)
sam_account_ok: Checking SMB password for user opususer
[2003/08/11 07:07:21, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1002
Primary group is 1001 and contains 2 supplementary groups
Group[ 0]: 1001
Group[ 1]: 1002
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799)
smbldap_open: cannot access LDAP when not root..
[2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888)
Connection to LDAP Server failed for the 1 try!
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)ldapsam_search_one_group: Query was:
ou=Opus,dc=der,dc=edf,dc=fr, (&(obj
ectClass=sambaGroupMapping)(gidNumber=1001))
[2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1002))]
[2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799)
smbldap_open: cannot access LDAP when not root..
[2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888)
Connection to LDAP Server failed for the 1 try!
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
[2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)ldapsam_search_one_group: Query was:
ou=Opus,dc=der,dc=edf,dc=fr, (&(obj
ectClass=sambaGroupMapping)(gidNumber=1002))
[2003/08/11 07:07:21, 10] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004
contains 7 SIDs
SID[ 0]: S-1-5-21-1320293332-2887003436-4113625284-3004
SID[ 1]: S-1-5-21-1320293332-2887003436-4113625284-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-1320293332-2887003436-4113625284-3003
SID[ 6]: S-1-5-21-1320293332-2887003436-4113625284-3005
[2003/08/11 07:07:21, 5] auth/auth_util.c:make_server_info_sam(815)
make_server_info_sam: made server info for user opususer -> opususer
[2003/08/11 07:07:21, 3] auth/auth.c:check_ntlm_password(265)
check_ntlm_password: sam authentication for user [opususer] succeeded
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2003/08/11 07:07:21, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2003/08/11 07:07:21, 5] auth/auth.c:check_ntlm_password(289)
check_ntlm_password: PAM Account for user [opususer] succeeded
[2003/08/11 07:07:21, 2] auth/auth.c:check_ntlm_password(302)
check_ntlm_password: authentication for user [opususer] -> [opususer] ->
[opususer] succeeded
# Log extract (trying to change date/time on the workstation)
[2003/08/11 07:06:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(283)
Got user=[opususer] domain=[OPUS] workstation=[OPUSWKS] len1=24 len2=24
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info_map(216)
make_user_info_map: Mapping user [OPUS]\[opususer] from workstation
[OPUSWKS]
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(132)
attempting to make a user_info for opususer (opususer)
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(142)
making strings for opususer's user_info struct
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(184)
making blobs for opususer's user_info struct
[2003/08/11 07:06:07, 10] auth/auth_util.c:make_user_info(193)
made an encrypted user_info for opususer (opususer)
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(216)
check_ntlm_password: Checking password for unmapped user [OPUS]
\[opususer]@[OPUSWKS] with the new password interface
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: mapped user is: [OPUS]\[opususer]@[OPUSWKS]
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(228)
check_ntlm_password: auth_context challenge created by random
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(230)
challenge is:
[2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(256)
check_ntlm_password: guest had nothing to say
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 2] lib/smbldap.c:smbldap_search_suffix(1056)
smbldap_search_suffix: searching for:
[(&(uid=opususer)(objectclass=sambaSamAccount))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456)
Entry found for user: opususer
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_password_ok(218)
sam_password_ok: Checking NT MD4 password
[2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_account_ok(324)
sam_account_ok: Checking SMB password for user opususer
[2003/08/11 07:06:07, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1002
Primary group is 1001 and contains 2 supplementary groups
Group[ 0]: 1001
Group[ 1]: 1002
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1001))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665)
Entry found for group: 1001
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619)
ldapsam_search_one_group: searching for:
[(&(objectClass=sambaGroupMapping)(gidNumber=1002))]
[2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665)
Entry found for group: 1002
[2003/08/11 07:06:07, 10] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004
contains 6 SIDs
SID[ 0]: S-1-5-21-1320293332-2887003436-4113625284-3004
SID[ 1]: S-1-5-21-1320293332-2887003436-4113625284-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-1320293332-2887003436-4113625284-512
[2003/08/11 07:06:07, 5] auth/auth_util.c:make_server_info_sam(815)
make_server_info_sam: made server info for user opususer -> opususer
[2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(265)
check_ntlm_password: sam authentication for user [opususer] succeeded
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/08/11 07:06:07, 5] auth/auth.c:check_ntlm_password(289)
check_ntlm_password: PAM Account for user [opususer] succeeded
[2003/08/11 07:06:07, 2] auth/auth.c:check_ntlm_password(302)
check_ntlm_password: authentication for user [opususer] -> [opususer] ->
[opususer] succeeded
I thought my troubles were related to the "cannot access LDAP when not root
" error, but the SID table finally contains the "Domain Admins" RID, very
strange... And I can't change time on my windows machine...
Either the "Domain Admins" group hasn't been mapped to the "Local Admins"
group on Windows (unlikely to be possible, if I set opusadmins as a primary
group for opususer, he becomes a "Domain Admin" and then a "Local Admin"
and can change time/date), or samba ignores the "Domain Admins" group
listed in the user's SIDs.
>> Unfortunately, only the first group seems to be known by Samba, since
the
>> user doesn't become a "Domain Admin" at all (but he is a "Domain
User")...
> You could have this problem if libc is not returning the secondary groups
> for a user via NSS.
A precision : I'm using nss to access /etc/passwd and /etc/group ; I'm not
using libnss_ldap at all.
I've created every account/group on my unix box before creating it under
samba.
>> I've googled a lot and haven't been able to find much info about
>> multiple-groups-per-user handling in Samba ; some users seem to get the
>> same problem without getting a solution ; Redhat did record this as a
bug
>> in bugzilla...
> Do you know that bug #id offhand ?
Well, the bug is closed, here is the link :
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=91768 ;
but doesn't seem to be what I'm in trouble with : it is related to
libnss-ldap !
>> So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to
have
>> a user belonging to two (or more) Windows domain groups ?
>It would be a bug. Whether it is our bug or not is unknown right now.
>That log file would help me to determine what is going on. All my tests
>are turning up correct results.
Thank you very much,
Regards,
Ganael.
More information about the samba
mailing list