[Samba] Re: samba3/ldap/net groupmap fails
jerome.fenal at logicacmg.com
Fri Dec 12 17:15:08 GMT 2003
> Friday, December 12, 2003, 6:17:30 AM, John wrote:
>>>I don't understand why it is like this...
>>are you suggesting this may be a problem with samba3? because i've been
>>trying to resolve this issue for several days now, thinking there must
>>be a problem with our ldap setup. somehow, it seems strange that this
>>could be a problem with samba. we thought that perhaps samba didn't like
>>something in our ldap. surely others are able to get the ntgroups to
>>show correctly with ldapsam as the first backend....otherwise, no one
>>would have a working samba3/ldap setup.
I'm using LDAP only (S3 schema), and domain groups won't work as
expected. Can someone confirm that it works in a pure tdbsam setup?
(asking twice never hurts ;-)
>>putting tdpsam as the first backend allows for ntgroups, but since we
>>don't use it, none of our profiles load if we do this. users get stuck
>>with temp profiles.
>>this is driving me bonkers:-)
> 1. you must create group mapping manually.
> 2. unix group you've assigning to "Domain Admins" MUST be in ldap (not
> in /etc/group).
> root# net groupmap modify rid=512 -d1 ntgroup="Domain Admins"
> the domadmin group must be stored in ldap, not /etc/group.
This is also what I've done here, eg. creating a Posix account only in
LDAP, then creating with « net groupmap » command the aliasing.
I end up with the following LDAP entry :
dn: cn=domadmin, ou=Group, dc=domain,dc=com
displayName: Domain Admins
description: Local Unix group
But samba does not look at the RID=512 when needing to give admin rights:
[2003/12/12 17:58:53, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x000601bf, for NT token with 9
entries and first sid S-1-5-21-1150874807-1180408084-429402335-3000.
[2003/12/12 17:58:53, 3] lib/util_seaccess.c:se_access_check(251)
[2003/12/12 17:58:53, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is
se_access_check: also S-1-5-21-1150874807-1180408084-429402335-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-1150874807-1180408084-429402335-513
se_access_check: also S-1-5-21-1150874807-1180408084-429402335-550
se_access_check: also S-1-5-21-1150874807-1180408084-429402335-1207
se_access_check: also S-1-5-21-1150874807-1180408084-429402335-1205
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
2035b, current desired = 601bf
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask
= f07ff, current desired = 400a4
se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask
= f07ff, current desired = 400a4
se_access_check: ACE 3: type 0, flags = 0x00, SID =
S-1-5-21-1150874807-1180408084-429402335-3000 mask = 20044, current
desired = 400a4
[2003/12/12 17:58:53, 5] lib/util_seaccess.c:se_access_check(315)
se_access_check: access (601bf) denied.
[2003/12/12 17:58:53, 2]
_samr_open_user: ACCESS DENIED (requested: 0x000601bf)
This log excerpt is generated by clicking on an entry in USRMGR.EXE. I
still can use USRMGR with an account mapped to root (although with some
glitches : I have to navigate through error popups, and insist on things
getting done despite errors messages, but the job is mostly done).
When I'm at it, in USRMGR, when you change the primary group of a user,
only the sambaPrimaryGroupSID is change, not the gidNumber as one would
expect. Not to say that I'm trying to do Unix admin with NT tool, but,
hey, one can try... ;-)
Or maybe I should try lastest IdealX script (I'm using 0.8.1) before
> i found lot of typo or incorrect info in smb howto collection, i've
> ordering the printable version on amazon, hopefully it has different
> content than the online version.
Yeah, I guess I had to guess many entries. But hopefully it is *as it
Nevertheless, can anybody confirm me that the LDIF in this mail *really*
defines the domain admin group ? That the « domain admin » group is
defined by rid=512 ?
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
More information about the samba