WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize

John H Terpstra jht at samba.org
Thu Jan 8 08:54:29 GMT 2004 

Hansjoerg,

Instead of:
	valid users = @Groupe

Please try:
	valid users = +Groupe

Thanks.

- John T.


On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:

> Hi
>
> thank you, for your fast replay.
> I have a user sporer
> [root at server root]# id -a sporer
> uid=1000(sporer) gid=1000(sensodrivegroup)
> Gruppen=1000(sensodrivegroup),1001(managementgroup)
>
> The user and the group is in ldap and nss_ldap seems to work..
> [root at server root]# getent group
> root:x:0:root
> ....
> Domain Admins:x:912:
> Domain Users:x:913:
> Domain Guests:x:914:
> Administrators:x:944:
> Users:x:945:
> Guests:x:946:
> Power Users:x:947:
> Account Operators:x:948:
> Server Operators:x:949:
> Print Operators:x:950:Administrator
> Backup Operators:x:951:
> Replicator:x:952:
> Domain Computers:x:953:
> sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
> managementgroup:x:1001:management,root,haehnle,sporer,sporers
>
> I am using
> [root at server root]# rpm -q nss_ldap
> nss_ldap-207-3
>
> on RH9
>
> Within samba I have to shares
> [Projekte]
>    comment = Sensodrive-Projekte
>    path = /home/sensodrive
>    force group = sensodrivegroup
>    force user = sensodrive
>    valid users = @sensodrivegroup,root
>
> [Management]
>    comment = Sensodrive-Management
>    path = /home/management
>    force group = managementgroup
>    force user = management
>    valid users = @managementgroup,root
>
> Every user can access the Projekte share, because the primary  group of
> every user is sensodrivegroup.
> When user sporer tries to acess the Management share, he gets
>  user 'sporer' (from session setup) not permitted to access this share
> (Management)
>
> If I add the user sporer by his username to valid users it works
>    valid users = @managementgroup,root,sporer,haehnle,sporers
>
> Maybe this helps to solve the problem
> If you need more information, or further testing give me a note
>
> Thank you very much
>
> Greetings
>
> Hansjörg
>
>
>
>
> John H Terpstra wrote:
>
> >On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
> >
> >
> >
> >>Hi
> >>
> >>i have a question related to the groupmapping with ldapsam as backend.
> >>You discribed, that groupentries have to be in /etc/group with tdbsam as
> >>backend.
> >>
> >>I recognized, that samba 3,0.1 with ldapsam does not recognize secondary
> >>groups in ldap.
> >>(e.g for accessing a share)
> >>
> >>The problem is described by  kent at wareham.k12.ma.us to (see his email
> >>attached).
> >>
> >>Do secondary groups have to be in /etc/groups in order to be recognized
> >>by samba even with ldapsam?
> >>
> >>
> >
> >Whether or not this will work depends on how you configure ID resolution.
> >
> >Winbind apparently does not resolve secondary group membership.
> >
> >On the other hand, if you configure LDAP based ID resolution via the name
> >service switcher (NSS) for both users and groups then secondary group
> >membership resolution seems to work ok. The Posix user account should be
> >in the LDAP database. You can then add users to multiple groups either in
> >/etc/group or in the LDAP groups container.
> >
> >How did you configure /etc/nsswitch.conf?
> >
> >What does 'getent group' and 'getent passwd' show?
> >
> >If you have a user who is a member of mulitple secondary groups and you
> >execute:
> >	id 'username'
> >
> >What does this report for that user?
> >
> >If LDAP based resolution of multiple group membership fails that is
> >something that must be reported to PADL, the authors of nss_ldap.
> >
> >On the test systems I used to create the environments I used to create the
> >example files for the new "Samba-3 by Example" book, I compiled nss_ldap
> >version 212 and found that to work fine with multiple groups.
> >
> >Is this what you tried also?
> >
> >Cheers,
> >John T.
> >
> >
> >
> >
> >>Thank you very much
> >>
> >>Hansjörg
> >>
> >>
> >>Hello,
> >>I found an interesting thing that I don't know if it is a bug, by design
> >>or I need to be doing something that I'm not but here goes.
> >>
> >>My system
> >>RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
> >>(3) BDC with LDAP slave backend. All are Samba 3.0.
> >>
> >>I had a probelem with secondary, tertiary etc groups that people belong
> >>to and Samba recognizing these groups if they were stored in LDAP. The
> >>primary group was no problem. When I created shares but used
> >>"@groupname"  for valid users or write list, Samba would fail to get
> >>that info from LDAP. They needed to be in /etc/group to work. As soon as
> >>I added users in secondary groups to /etc/group users were recognized
> >>and rights were assigned.
> >>
> >>As a side note each line of /etc/group is limited to 1024 bytes, so
> >>there is a limit on how many users you can add to a group using
> >>/etc/group. If you exceed that when the system scans the /etc/group
> >>file, it will fail at the line >1024 bytes and any groups below will
> >>fail to be recognized. I believe that this is a bug. If you do "ls" on a
> >>directory or "id <username>" where one of the entries in your /etc/group
> >>has exceeded the limit, the groups will show as numbers and not a group
> >>name.
> >>
> >>
> >>Can I use pam_winbindd to extract group membership from LDAP at this
> >>
> >>time for secondary, tertiary etc groups?
> >>
> >>
> >>
> >>John H Terpstra wrote:
> >>
> >>
> >>
> >>>On Wed, 7 Jan 2004, Andrew Judge wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>I think that most of my problems are somewhat resolved except for this last
> >>>>one.  I can not get domain admin rights to the ntadmins users.  I get the
> >>>>following output for groupmaps:
> >>>>
> >>>>[root at fire2 i386]# net groupmap list
> >>>>System Operators (S-1-5-32-549) -> -1
> >>>>Replicators (S-1-5-32-552) -> -1
> >>>>Guests (S-1-5-32-546) -> -1
> >>>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
> >>>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
> >>>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
> >>>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
> >>>>Power Users (S-1-5-32-547) -> -1
> >>>>Print Operators (S-1-5-32-550) -> -1
> >>>>Administrators (S-1-5-32-544) -> -1
> >>>>Account Operators (S-1-5-32-548) -> -1
> >>>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
> >>>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
> >>>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
> >>>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
> >>>>Backup Operators (S-1-5-32-551) -> -1
> >>>>Users (S-1-5-32-545) -> -1
> >>>>
> >>>>
> >>>>Obviously there is a problem with the domain '*' SID because there are
> >>>>duplicates.  Any idea how to correct this problem and get the users logged
> >>>>in with admin rights.  I have RH EN v.3 and samba 3.0.0-14.3E from RH.  I
> >>>>can see the users from the samba server and the users can log in, but no
> >>>>rights.  Big problem.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>Ok. Roll up your sleeves!
> >>>
> >>>I am presuming that you are NOT using and LDAP backend, that you still are
> >>>using an smbpasswd backend datafile.
> >>>
> >>>1. Stop Samba
> >>>2. Delete the group_mapping.tdb file.
> >>>3. Restart Samba
> >>>	- the default Domain Groups will automatically be created if you
> >>>	  are NOT using LDAP ldapsam.
> >>>4. Map your groups as follows:
> >>>
> >>>net groupmap modify ntgroup="Domain Users" unixgroup=users
> >>>net groupmap modify ntgroup="Domain Admins" unixgroup=root
> >>>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
> >>>
> >>>Add any Domain Groups you may want. Do tie them to existing (manually
> >>>created UNIX groups) eg:
> >>>
> >>>groupadd engineers
> >>>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
> >>>
> >>>groupadd ntadmins
> >>>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
> >>>
> >>>
> >>>PS: If you have a problem with these commands email me, I'll help you.
> >>>
> >>>
> >>>5. Add all users who should have Domain Admin rights to the UNIX root
> >>>group in /etc/group, like this:
> >>>
> >>>root:0::jht,jimbo,jack,jill
> >>>
> >>>
> >>>6. Add all users who should have Workstation Admin rights (Power Users) to
> >>>the UNIX ntadmins group in /etc/group, like this:
> >>>
> >>>ntadmins:123::maryo,susant,billm
> >>>
> >>>
> >>>7. Verify that the groups are correctly mapped:
> >>>
> >>>net groupmap list.
> >>>
> >>>
> >>>8. Now: On every windows client machine add:
> >>>
> >>>	a) Domain Admins to the Local Administrators Group
> >>>	b) Domain Power Users to the Local Power Users Group
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> >>>>cahnged the SID to the last PDC.  Anyway, how would I get the right SID?  I
> >>>>have NTUSER.DAT files that I can run profiles against to read them.  Would
> >>>>that help?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
> >>>NTUSER.DAT files.
> >>>
> >>>To obtain the domain SID just run:
> >>>
> >>>	net getlocalsid
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>First one that can point me in the right direction to get this resolved -
> >>>>I'll buy them a amazon gift cert for $50.  Beats going bald from pulling out
> >>>>my hair.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>It's a deal man!
> >>>
> >>>
> >>>- John T.
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
>
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list