[Samba] Secondary Groups and Group Mapping

Klinger, John (N-CSC) john.klinger at lmco.com
Mon Dec 15 23:59:25 GMT 2003 

We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings.

The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch.

The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following:

  groupadd elves
  net groupmap add ntuser=LOTR+fairfolk username=elves

We always get the following error:

No rid or sid specified, choosing algorithmic mapping
adding entry for group LOTR+fairfolk failed!

Output from the above groupmap command with debug level of 3 gives:

----

param/loadparm.c:lp_load(3917)
  lp_load: refreshing parameters
param/loadparm.c:init_globals(1303)
  Initialising global parameters
param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file "/h/SMBSVR/cfg/smb.conf"
param/loadparm.c:do_section(3420)
  Processing section "[global]"
lib/interface.c:add_interface(79)
  added interface ip=172.31.4.133 bcast=172.31.4.143 nmask=255.255.255.240
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=4294967295))]
lib/smbldap.c:smbldap_open_connection(623)
  smbldap_open_connection: connection opened
lib/smbldap.c:smbldap_connect_system(785)
  ldap_connect_system: succesful connection to the LDAP server
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=4294967295))]
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=4294967295))]
<< the above 4 lines repeat 10 more times >>
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=4294967295))]
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=201))]
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=201))]
utils/net.c:main(758)
  return code = -1
No rid or sid specified, choosing algorithmic mapping
adding entry for group LOTR+fairfolk failed!

----

Other tidbits:

----

Using the previous example,
"getent group LOTR+fairfolk" returns a group id of 11959.
"getent group elves" returns a group id of 201.
"/usr/bin/id -a LOTR+sampleuser" gives correct user and full group list.
"getent passwd LOTR+sampleuser" and "getent group | grep sampleuser" give user info and all groups.
/etc/group contains the elves group with a group id of 201.
"net groupmap list" returns nothing (debug > 2 shows "ldapsam_setsampwent: 0 entries in the base!").

----

Samba compilation performed using the flags: 

--with-ads
--with-ldap
--with-included-popt
--with-winbind
--with-winbind-auth-challenge
--with-pam
--with-ldapsam
--with-acl-support

----

smb.conf Contains:

ldap admin dn = "cn=smbldapuser,ou=user,dc=lan,dc=subd,dc=dom,dc=com"
ldap server = globalsvr.lan.subd.dom.com
ldap port = 8001
ldap suffix = "ou=idmap,dc=lan,dc=subd,dc=dom,dc=com"
ldap ssl = no
ldap filter = "(&(uid=%u) (objectclass=sambaAccount))"
winbind separator = +
idmap backend = ldap:ldap://globalsvr.lan.subd.dom.com:8001
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /USERS/global/%U
template shell = /bin/ksh
workgroup = LOTR
server string = smbdev
security = ads
encrypt passwords = yes
password server = activedsvr.lan.subd.dom.com
client use spnego = yes
log file = /SMBSVR/var/log.%m
max log size = 5000
realm = LOTR.REF.DOMAIN.COM
socket options = TCP_NODELAY
socket options = TCP_NODELAY
local master = no
dns proxy = yes
inherit permissions = no
create mask = 0774
force create mode = 0000
security mask = 0774
force security mode = 0000
directory mask = 0775
force directory mode = 0000
directory security mask = 0775
force directory security mode = 0000
[homes]
   comment = Home Directories
   path = /users/%S
   browseable = no
   writable = yes
   only user = yes
[global_data]
   comment = Global Data share
   browseable = yes
   path = /globaldata
   read only = no
   public = yes

----

ldap.conf contains

host activedsvr.lan.subd.dom.com
base dc=lan,dc=subd,dc=dom,dc=com
scope sub
nss base passwd dc=lan,dc=subd,dc=dom,dc=com?sub
nss base shadow dc=lan,dc=subd,dc=dom,dc=com?sub
nss group       dc=lan,dc=subd,dc=dom,dc=com?sub

Pre-Thanks for whatever help or suggestions you can give,

john

More information about the samba mailing list