[Samba] Re: Group mapping, among other problems
jfenalml at free.fr
Mon Oct 6 19:56:05 GMT 2003
Granzow, Matt (MED, Adecco) wrote:
> Hopefully I can write this out so someone understands it.
> We are currently running a number of Solaris servers, to which windows
> computers need to connect. Currently they connect via NFS using
> hummingbird's NFS client. This requires them to have a separate unix
> account along with their windows account.
> Our idea is to implement samba 3.0.0 to eliminate that NFS client.
> My current problems are:
> #1, when I mount my share (in either windows or unix using smbclient), I
> am not getting the proper permissions. We have a group (lets call it
> happy) in both unix, and in our windows domain. with winbind, the
> domain\happy group obviously isn't getting the same GID as the unix
> happy group. the share we are working on is 0775, so I can't write to
> it when I connect using my domain acct. in net groupmap a mapping for
> the group domain\happy = happy, and in my username.map file, I have * =
> domain\*. What else do I need to setup to get this working? using
> getent group I only get one group in my domain, but when I run wbinfo -g
> I get the full list. getent passwd gets me all the users in the domain,
> so I don't understand what is so broken about groups.
> #2, when I have something mounted, and I run smbstatus (or click status
> from swat), it will just hang where it is finding who is connected.
> Here is a copy of my smb.conf file. hopefully it will help someone
> figure this out. yes winbind is running, and it has a computer account
> in the domain. wbinfo works. ntlm_auth works. So I know I'm close,
> but I just can't figure out this last part. and yes, I do need that
> many uid's if I have to use winbind enum users = yes
> workgroup = ourdomain
> netbios name = BOXEN
> server string = Samba %v on %L
> security = DOMAIN
> password server = pdc
> username map = /usr/local/samba/lib/username.map
> username level = 2
> log file = /var/log/samba/samba.%m
> max open files = 20000
> load printers = No
> preferred master = No
> local master = No
> domain master = No
> kernel oplocks = No
> ldap ssl = no
> idmap uid = 10000-45000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> create mask = 0775
> directory mask = 0775
> mangled names = No
> oplocks = No
> level2 oplocks = No
> comment = viewstorage
> path = /smbview
> read only = No
> writable = yes
> /smbview is 0775 and so are all the files in it. All i need to do is
> get users that authenticate via samba to get the proper group assigned
> when they connect.
> Thanks for any help!
> Mathew Granzow
I think that I have the same problem.
My setup :
- PDC on RH9 (Samba3 RPM + small Jeremy %S patch + remove of -g in Make
to avoid crunching the disks), SAM on ldapsam. Works nice (I gave up
- Member server on Solaris 9, Samba 3 + %S patch, using Winbind.
Winbind works quite nicely for users, ksh recognises ~user, I get the
right conversions for SID to uid, uid to SID, and so on...
But not for groups.
In fact, I think that the group mapping code for winbind is a little bit
too fast. Let me explain :
Here are my group definitions in LDIF format :
dn: cn=Domain Admins,ou=Groups, dc=dummy,dc=com
displayName: Domain Admins
description: Local Unix group
cn: Domain Admins
dn: cn=domusers,ou=Groups, dc=dummy,dc=com
displayName: Domain Users
description: Utilisateurs du domaine
dn: cn=Domain Guests,ou=Groups, dc=dummy,dc=com
displayName: Domain Guests
description: Local Unix group
cn: Domain Guests
Notice the gidNumbers, and the SID numbers, which are «dans la ligne du
sid-suffix = 1000 + gid*2 + 1
Now, let have a look to conversion when trying to resolve groups on the
Solaris member server (with net rpc group list) :
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3209628119-1617240125-1967951502-512) -> -1
Domain Guests (S-1-5-21-3209628119-1617240125-1967951502-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-3209628119-1617240125-1967951502-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Seems to me that the SID are a little bit mangled with gidNumbers...
This is all the information I have at hand for now, If you need more
information, you'll have to wait until thrusday.
More information about the samba