[Samba] Re: Group mapping, among other problems

[Jérôme Fenal]

Granzow, Matt (MED, Adecco) wrote:

> Hopefully I can write this out so someone understands it.  
> 
> We are currently running a number of Solaris servers, to which windows
> computers need to connect.  Currently they connect via NFS using
> hummingbird's NFS client.  This requires them to have a separate unix
> account along with their windows account.
> 
> Our idea is to implement samba 3.0.0 to eliminate that NFS client.  
> 
> My current problems are:
> 
> #1, when I mount my share (in either windows or unix using smbclient), I
> am not getting the proper permissions.  We have a group (lets call it
> happy) in both unix, and in our windows domain.  with winbind, the
> domain\happy group obviously isn't getting the same GID as the unix
> happy group.  the share we are working on is 0775, so I can't write to
> it when I connect using my domain acct.  in net groupmap  a mapping for
> the group domain\happy = happy, and in my username.map file, I have * =
> domain\*.   What else do I need to setup to get this working?  using
> getent group I only get one group in my domain, but when I run wbinfo -g
> I get the full list.  getent passwd gets me all the users in the domain,
> so I don't understand what is so broken about groups.  
> 
> #2, when I have something mounted, and I run smbstatus (or click status
> from swat), it will just hang where it is finding who is connected.  
> 
> Here is a copy of my smb.conf file.  hopefully it will help someone
> figure this out.  yes winbind is running, and it has a computer account
> in the domain.  wbinfo works.  ntlm_auth works.  So I know I'm close,
> but I just can't figure out this last part.  and yes, I do need that
> many uid's if I have to use winbind enum users = yes
> 
> [global]
>         workgroup = ourdomain
>         netbios name = BOXEN
>         server string = Samba %v on %L
>         security = DOMAIN
>         password server = pdc
>         username map = /usr/local/samba/lib/username.map
>         username level = 2
>         log file = /var/log/samba/samba.%m
>         max open files = 20000
>         load printers = No
>         preferred master = No
>         local master = No
>         domain master = No
>         kernel oplocks = No
>         ldap ssl = no
>         idmap uid = 10000-45000
>         idmap gid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         create mask = 0775
>         directory mask = 0775
>         mangled names = No
>         oplocks = No
>         level2 oplocks = No
> 
> [smbview]
>         comment = viewstorage
>         path = /smbview
>         read only = No
>         writable = yes
> 
> /smbview is 0775 and so are all the files in it.  All i need to do is
> get users that authenticate via samba to get the proper group assigned
> when they connect.
> 
> Thanks for any help!
> Mathew Granzow

I think that I have the same problem.
My setup :
- PDC on RH9 (Samba3 RPM + small Jeremy %S patch + remove of -g in Make 
to avoid crunching the disks), SAM on ldapsam. Works nice (I gave up 
FreeBSD 5.1).
- Member server on Solaris 9, Samba 3 + %S patch, using Winbind.

Winbind works quite nicely for users, ksh recognises ~user, I get the 
right conversions for SID to uid, uid to SID, and so on...

But not for groups.
In fact, I think that the group mapping code for winbind is a little bit 
too fast. Let me explain :

Here are my group definitions in LDIF format :

dn: cn=Domain Admins,ou=Groups, dc=dummy,dc=com
sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2025
gidNumber: 512
displayName: Domain Admins
memberUid: Administrator
memberUid: root
memberUid: jerome
memberUid: david
sambaGroupType: 2
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Local Unix group
cn: Domain Admins

dn: cn=domusers,ou=Groups, dc=dummy,dc=com
sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2027
gidNumber: 513
displayName: Domain Users
sambaGroupType: 2
memberUid: jerome
memberUid: david
memberUid: henri
memberUid: mytest
memberUid: mytest2
description: Utilisateurs du domaine
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domusers

dn: cn=Domain Guests,ou=Groups, dc=dummy,dc=com
sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2029
gidNumber: 514
displayName: Domain Guests
sambaGroupType: 2
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Local Unix group
cn: Domain Guests

Notice the gidNumbers, and the SID numbers, which are «dans la ligne du 
parti»:
sid-suffix = 1000 + gid*2 + 1

Now, let have a look to conversion when trying to resolve groups on the 
Solaris member server (with net rpc group list) :

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3209628119-1617240125-1967951502-512) -> -1
Domain Guests (S-1-5-21-3209628119-1617240125-1967951502-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-3209628119-1617240125-1967951502-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Seems to me that the SID are a little bit mangled with gidNumbers...

This is all the information I have at hand for now, If you need more 
information, you'll have to wait until thrusday.

Regards,

Jérôme