[Samba] Samba 3.0.1pre3/ldap - Strange gid mappings server side

Mathieu Nantel nantel at ecopiabio.com
Fri Dec 5 13:53:46 GMT 2003 

Good day,

I'm running some tests with Samba 3.0.1pre3 with an LDAP sam. LDAP has been, 
to the best of my abilities, properly populated with the needed group 
mappings. The "net groupmap list" command indeed shows the following:

[root at box bin]# ./net groupmap list
Domain Admins (S-1-5-21-2009448231-1530593524-1969381020-512) -> domadm
Domain Users (S-1-5-21-2009448231-1530593524-1969381020-513) -> domusr
Domain Guests (S-1-5-21-2009448231-1530593524-1969381020-514) -> domgst
Administrators (S-1-5-21-2009448231-1530593524-1969381020-544) -> admins
users (S-1-5-21-2009448231-1530593524-1969381020-545) -> users
Guests (S-1-5-21-2009448231-1530593524-1969381020-546) -> guests
Power Users (S-1-5-21-2009448231-1530593524-1969381020-547) -> pwrusr
Account Operators (S-1-5-21-2009448231-1530593524-1969381020-548) -> acntop
Server Operators (S-1-5-21-2009448231-1530593524-1969381020-549) -> srvop
Print Operators (S-1-5-21-2009448231-1530593524-1969381020-550) -> prtop
Backup Operators (S-1-5-21-2009448231-1530593524-1969381020-551) -> bkpop
Replicator (S-1-5-21-2009448231-1530593524-1969381020-552) -> replic
Domain Computers (S-1-5-21-2009448231-1530593524-1969381020-553) -> domwks
Data (S-1-5-21-2009448231-1530593524-1969381020-9000) -> data
Chem (S-1-5-21-2009448231-1530593524-1969381020-9001) -> chem

- Unix local groups are created (ie domadm,domusr,etc...):

chem::7000:
data::2000:
ntadmin::2800:
admins::544:
users::545:
guests::546:
pwrusr::547:
acntop::548:
srvop::549:
prtop::550:
bkpop::551:
replic::552:
domwks::553:
domadm::512:
domusr::513:
domgst::514:

- And LDAP shows the proper info (as far as my knowledge goes). Here's a 
samply entry, as I know this message is already long enough:

dn: cn=Domain Admins,ou=Groups,dc=ecopiabio,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2009448231-1530593524-1969381020-512
sambaGroupType: 2
displayName: Domain Admins
memberUid: root

Now for the weird behavior: granting access to "Domain Admins" through Windows 
XPs "security" tab (I have acl support compiled in) to a file yields out the 
following facl on the unix side:

user::rwx
group::rw-              #effective:rw-
group:2147483404:r-x            #effective:r-x
mask:rwx
other:r--

GID for "Domain Admins" is fishy. Things look OK on the Windows side of things 
though (in the security tab, Domain Admins is right there with proper 
permissions).

Samba logs show the following few error messages:

  asdasd (192.168.1.52) connect to service data initially as user mat 
(uid=2006, gid=2000) (pid 718)
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_domain_user_groups(371)
  get_domain_user_groups: primary gid of user [mat] is not a Domain group !
  get_domain_user_groups: You should fix it, NT doesn't like that
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_alias_user_groups(219)
  get_alias_user_groups: gid of user mat doesn't exist. Check your /etc/passwd 
and /etc/group files
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
  smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
  Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  
(Insufficient access)
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
  smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
  Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  
(Insufficient access)

Now before this is questionned, gid 2000 (group data) does indeed exist both 
on LDAP and in /etc/group, and is the user's primary GID in ldap and 
/etc/passwd. This one is also leaving me without a clue.

Anyone has an idea on the source of these problems?

Thanks in advance,

-- 
===================================================================
Mathieu Nantel - RHCE,CCNA                       Ecopia BioSciences
Systems Manager                                 (514) 336-2724 x434
nantel at ecopiabio.com
===================================================================
[*] Please avoid sending me Word/Excel/PowerPoint attachments.
 `----> See: http://www.fsf.org/philosophy/no-word-attachments.html
===================================================================

More information about the samba mailing list