[Samba] ntconfig.pol policies for groups
Alexander Bergolth
leo at strike.wu-wien.ac.at
Tue Jul 15 13:08:01 GMT 2003
Hi!
I have a problem using ntconfig.pol-policies for domain groups other
than "Domain Users" and "Domain Admins".
I am using Samba 2.2.7 with LDAP support as a PDC.
Policies work as expected for "Domain Users" and "Domain Admins" but
setting policies for any other group doesn't work.
The "Browse"-list for AddGroups in poledit only shows the two groups
"Domain Users" and "Domain Admins", other groups that I've set up, are
not found in poledit. (Sniffing the wire using Ethereal shows that the
Samba-Server only returns information about those two groups, see below...)
When I enter the name of a group like "RK_KLBG\Everyone" or "RK_KLBG\rk"
manually in the Browse-window, poledit tells me that this is a local
group and refuses to add this group. Entering the group as
"RK_KLBG\Everyone", "Everyone", "RK_KLBG\rk" or "rk" in the text-field
outside the Browse-window works but when logging in a user that is a
member of those groups, the settings are ignored.
However those groups work as expected in Unix and for file permissions
on the Samba-server. I've verified this behaviour on Windows 2000 and NT4.
Any help is greatly appreciated, as I'm already struggling with this
problem for several months and I'm rather desperate now... :(
Some data that might help is attached below, please tell me, if you need
additional informations.
Thanks in advance,
--leo
----------------------------------------
Some settings from smb.conf:
workgroup = RK_KLBG
netbios name = SAMBA
----------------------------------------
showgrps from the Windows 2000 Server CD produces:
V:\Admin\group-tools>showgrps
User: [RK_KLBG\smbadmin], is a member of:
SAMBA\Domain Admins
SAMBA\Domain Users
SAMBA\Everyone
Is it supposed to show the netbios name of the server (SAMBA\...) or the
domain name (RK_KLBG\...)?
----------------------------------------
In contrast to that, groups on the linux box shows:
smbadmin$ groups
rk urxn Domain Admins
----------------------------------------
When clicking the Browse Button in poledit, ethereal records the following:
Frame 66 (422 bytes on wire, 422 bytes captured)
Ethernet II, Src: 00:04:76:cd:e3:e7, Dst: 00:04:75:d5:47:83
Internet Protocol, Src Addr: 192.168.60.151 (192.168.60.151), Dst Addr:
192.168.60.226 (192.168.60.226)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port:
2245 (2245), Seq: 2791153803, Ack: 4183446132, L
en: 368
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC
Microsoft Security Account Manager
Operation: QueryDispinfo2 (48)
Total Size
Total Size: 64
Returned Size
Returned Size: 64
DISPLAY_INFO:
DISP_INFO:
Level: 3
Group_DispInfo Array
Count: 2
GROUP_DISPINFO_ARRAY
Referent ID: 0x00000001
Max Count: 2
Group_DispInfo
Index: 1
Rid: 512
Acct Ctrl: 0x00000007
Account Name: Domain Admins
Length: 26
Size: 26
Character Array: Domain Admins
Referent ID: 0x00000001
Max Count: 13
Offset: 0
Actual Count: 13
Account Name: Domain Admins
Account Desc: Administrators for the domain
Length: 58
Size: 58
Character Array: Administrators for the domain
Referent ID: 0x00000001
Max Count: 29
Offset: 0
Actual Count: 29
Account Desc: Administrators for the domain
Group_DispInfo
Index: 2
Rid: 513
Acct Ctrl: 0x00000007
Account Name: Domain Users
Length: 24
Size: 24
Character Array: Domain Users
Referent ID: 0x00000001
Max Count: 12
Offset: 0
Actual Count: 12
Account Name: Domain Users
Account Desc: Users in the domain
Length: 38
Size: 38
Character Array: Users in the domain
Referent ID: 0x00000001
Max Count: 19
Offset: 0
Actual Count: 19
Account Desc: Users in the domain
Return code: STATUS_SUCCESS (0x00000000)
----------------------------------------
The LDAP entries for the groups are:
# ldapsearch -x -h localhost -b 'ou=Groups,dc=rk-klbg,dc=at' 'cn=Domain
Admins'
version: 2
#
# filter: cn=Domain Admins
# requesting: ALL
#
# Domain Admins, Groups, rk-klbg, at
dn: cn=Domain Admins,ou=Groups,dc=rk-klbg,dc=at
objectClass: posixGroup
gidNumber: 800
cn: Domain Admins
description: Windows Domain Admins
memberUid: administrator
memberUid: smbadmin
memberUid: wininst
# ldapsearch -x -h localhost -b 'ou=Groups,dc=rk-klbg,dc=at' 'cn=Domain
Users'
version: 2
#
# filter: cn=Domain Users
# requesting: ALL
#
# Domain Users, Groups, rk-klbg, at
dn: cn=Domain Users,ou=Groups,dc=rk-klbg,dc=at
objectClass: posixGroup
gidNumber: 801
cn: Domain Users
description: Windows Domain Users
memberUid: testsmb
# ldapsearch -x -h localhost -b 'ou=Groups,dc=rk-klbg,dc=at' 'cn=rk'
version: 2
#
# filter: cn=rk
# requesting: ALL
#
# rk, Groups, rk-klbg, at
dn: cn=rk,ou=Groups,dc=rk-klbg,dc=at
objectClass: posixGroup
cn: rk
gidNumber: 1000
memberUid: wininst
memberUid: testlongname1
memberUid: testlongname
memberUid: root
memberUid: smbadmin
memberUid: testsmb
--
-----------------------------------------------------------------------
Alexander (Leo) Bergolth leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at
Computers are like air conditioners -
they stop working properly when you open Windows
More information about the samba
mailing list