[Samba] Re: samba3/ldap/net groupmap fails

Jérôme Fenal jerome.fenal at logicacmg.com
Fri Dec 12 17:15:08 GMT 2003

Beast wrote:

> Friday, December 12, 2003, 6:17:30 AM, John wrote:
>>>I don't understand why it is like this...
>>are you suggesting this may be a problem with samba3? because i've been
>>trying to resolve this issue for several days now, thinking there must
>>be a problem with our ldap setup. somehow, it seems strange that this
>>could be a problem with samba. we thought that perhaps samba didn't like
>>something in our ldap. surely others are able to get the ntgroups to
>>show correctly with ldapsam as the first  backend....otherwise, no one
>>would have a working samba3/ldap setup.

I'm using LDAP only (S3 schema), and domain groups won't work as 
expected. Can someone confirm that it works in a pure tdbsam setup? 
(asking twice never hurts ;-)

>>putting tdpsam as the first backend allows for ntgroups, but since we
>>don't use it, none of our profiles load if we do this. users get stuck
>>with temp profiles.
>>this is driving me bonkers:-)
> Hi,
> 1. you must create group mapping manually.
> 2. unix group you've assigning to "Domain Admins" MUST be in ldap (not
> in /etc/group).
> ie.
> root# net groupmap modify rid=512 -d1 ntgroup="Domain Admins"
> unixgroup=domadmin
> the domadmin group must be stored in ldap, not /etc/group.

This is also what I've done here, eg. creating a Posix account only in 
LDAP, then creating with « net groupmap » command the aliasing.
I end up with the following LDAP entry :

dn: cn=domadmin, ou=Group, dc=domain,dc=com
gidNumber: 512
memberUid: jerome,admin-jfenal
objectClass: posixGroup,sambaGroupMapping
cn: domadmin
sambaSID: S-1-5-21-1150874807-1180408084-429402335-512
sambaGroupType: 2
displayName: Domain Admins
description: Local Unix group

But samba does not look at the RID=512 when needing to give admin rights:

[2003/12/12 17:58:53, 10] lib/util_seaccess.c:se_access_check(234)
   se_access_check: requested access 0x000601bf, for NT token with 9 
entries and first sid S-1-5-21-1150874807-1180408084-429402335-3000.
[2003/12/12 17:58:53, 3] lib/util_seaccess.c:se_access_check(251)
[2003/12/12 17:58:53, 3] lib/util_seaccess.c:se_access_check(252)
   se_access_check: user sid is 
   se_access_check: also S-1-5-21-1150874807-1180408084-429402335-512
   se_access_check: also S-1-1-0
   se_access_check: also S-1-5-2
   se_access_check: also S-1-5-11
   se_access_check: also S-1-5-21-1150874807-1180408084-429402335-513
   se_access_check: also S-1-5-21-1150874807-1180408084-429402335-550
   se_access_check: also S-1-5-21-1150874807-1180408084-429402335-1207
   se_access_check: also S-1-5-21-1150874807-1180408084-429402335-1205
   se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 
2035b, current desired = 601bf
   se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask 
= f07ff, current desired = 400a4
   se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask 
= f07ff, current desired = 400a4
   se_access_check: ACE 3: type 0, flags = 0x00, SID = 
S-1-5-21-1150874807-1180408084-429402335-3000 mask = 20044, current 
desired = 400a4
[2003/12/12 17:58:53, 5] lib/util_seaccess.c:se_access_check(315)
   se_access_check: access (601bf) denied.
[2003/12/12 17:58:53, 2] 
   _samr_open_user: ACCESS DENIED  (requested: 0x000601bf)

This log excerpt is generated by clicking on an entry in USRMGR.EXE. I 
still can use USRMGR with an account mapped to root (although with some 
glitches : I have to navigate through error popups, and insist on things 
getting done despite errors messages, but the job is mostly done).

When I'm at it, in USRMGR, when you change the primary group of a user, 
only the sambaPrimaryGroupSID is change, not the gidNumber as one would 
expect. Not to say that I'm trying to do Unix admin with NT tool, but, 
hey, one can try... ;-)
Or maybe I should try lastest IdealX script (I'm using 0.8.1) before 
saying anything...

> i found lot of typo or incorrect info in smb howto collection, i've
> ordering the printable version on amazon, hopefully it has different
> content than the online version.

Yeah, I guess I had to guess many entries. But hopefully it is *as it 
should be*.

Nevertheless, can anybody confirm me that the LDIF in this mail *really* 
defines the domain admin group ? That the « domain admin » group is 
defined by rid=512 ?



Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list