WAS: Re: [Samba] net groupmap / domain admins problem

Hansjoerg Maurer Hansjoerg.Maurer at dlr.de
Thu Jan 8 09:52:28 GMT 2004


Hi

i switched to
   valid users = +managementgroup

and still get

2004/01/08 10:46:52, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.1.100)
[2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391)
  user 'sporer' (from session setup) not permitted to access this share 
(test)
[2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118)
  error packet at smbd/reply.c(286) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED


(changed thename of the share to test to avoid a naming conflict with 
user managment)

[root at server root]# smbclient -U sporer \\\\LINA\\test
Password:
tree connect failed: NT_STATUS_ACCESS_DENIED

[root at server root]# smbclient -U sporer \\\\LINA\\sporer
Password:
smb: \>

[root at server root]# smbclient -U sporer \\\\LINA\\projekte-share
Password:
smb: \>

With the share, wher sporer has the primary group in, it still works 
with the +sensodrivegroup

Thank you

Hansjörg




John H Terpstra wrote:

>Hansjoerg,
>
>Instead of:
>	valid users = @Groupe
>
>Please try:
>	valid users = +Groupe
>
>Thanks.
>
>- John T.
>
>
>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>
>  
>
>>Hi
>>
>>thank you, for your fast replay.
>>I have a user sporer
>>[root at server root]# id -a sporer
>>uid=1000(sporer) gid=1000(sensodrivegroup)
>>Gruppen=1000(sensodrivegroup),1001(managementgroup)
>>
>>The user and the group is in ldap and nss_ldap seems to work..
>>[root at server root]# getent group
>>root:x:0:root
>>....
>>Domain Admins:x:912:
>>Domain Users:x:913:
>>Domain Guests:x:914:
>>Administrators:x:944:
>>Users:x:945:
>>Guests:x:946:
>>Power Users:x:947:
>>Account Operators:x:948:
>>Server Operators:x:949:
>>Print Operators:x:950:Administrator
>>Backup Operators:x:951:
>>Replicator:x:952:
>>Domain Computers:x:953:
>>sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
>>managementgroup:x:1001:management,root,haehnle,sporer,sporers
>>
>>I am using
>>[root at server root]# rpm -q nss_ldap
>>nss_ldap-207-3
>>
>>on RH9
>>
>>Within samba I have to shares
>>[Projekte]
>>   comment = Sensodrive-Projekte
>>   path = /home/sensodrive
>>   force group = sensodrivegroup
>>   force user = sensodrive
>>   valid users = @sensodrivegroup,root
>>
>>[Management]
>>   comment = Sensodrive-Management
>>   path = /home/management
>>   force group = managementgroup
>>   force user = management
>>   valid users = @managementgroup,root
>>
>>Every user can access the Projekte share, because the primary  group of
>>every user is sensodrivegroup.
>>When user sporer tries to acess the Management share, he gets
>> user 'sporer' (from session setup) not permitted to access this share
>>(Management)
>>
>>If I add the user sporer by his username to valid users it works
>>   valid users = @managementgroup,root,sporer,haehnle,sporers
>>
>>Maybe this helps to solve the problem
>>If you need more information, or further testing give me a note
>>
>>Thank you very much
>>
>>Greetings
>>
>>Hansjörg
>>
>>
>>
>>
>>John H Terpstra wrote:
>>
>>    
>>
>>>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>>>
>>>
>>>
>>>      
>>>
>>>>Hi
>>>>
>>>>i have a question related to the groupmapping with ldapsam as backend.
>>>>You discribed, that groupentries have to be in /etc/group with tdbsam as
>>>>backend.
>>>>
>>>>I recognized, that samba 3,0.1 with ldapsam does not recognize secondary
>>>>groups in ldap.
>>>>(e.g for accessing a share)
>>>>
>>>>The problem is described by  kent at wareham.k12.ma.us to (see his email
>>>>attached).
>>>>
>>>>Do secondary groups have to be in /etc/groups in order to be recognized
>>>>by samba even with ldapsam?
>>>>
>>>>
>>>>        
>>>>
>>>Whether or not this will work depends on how you configure ID resolution.
>>>
>>>Winbind apparently does not resolve secondary group membership.
>>>
>>>On the other hand, if you configure LDAP based ID resolution via the name
>>>service switcher (NSS) for both users and groups then secondary group
>>>membership resolution seems to work ok. The Posix user account should be
>>>in the LDAP database. You can then add users to multiple groups either in
>>>/etc/group or in the LDAP groups container.
>>>
>>>How did you configure /etc/nsswitch.conf?
>>>
>>>What does 'getent group' and 'getent passwd' show?
>>>
>>>If you have a user who is a member of mulitple secondary groups and you
>>>execute:
>>>	id 'username'
>>>
>>>What does this report for that user?
>>>
>>>If LDAP based resolution of multiple group membership fails that is
>>>something that must be reported to PADL, the authors of nss_ldap.
>>>
>>>On the test systems I used to create the environments I used to create the
>>>example files for the new "Samba-3 by Example" book, I compiled nss_ldap
>>>version 212 and found that to work fine with multiple groups.
>>>
>>>Is this what you tried also?
>>>
>>>Cheers,
>>>John T.
>>>
>>>
>>>
>>>
>>>      
>>>
>>>>Thank you very much
>>>>
>>>>Hansjörg
>>>>
>>>>
>>>>Hello,
>>>>I found an interesting thing that I don't know if it is a bug, by design
>>>>or I need to be doing something that I'm not but here goes.
>>>>
>>>>My system
>>>>RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
>>>>(3) BDC with LDAP slave backend. All are Samba 3.0.
>>>>
>>>>I had a probelem with secondary, tertiary etc groups that people belong
>>>>to and Samba recognizing these groups if they were stored in LDAP. The
>>>>primary group was no problem. When I created shares but used
>>>>"@groupname"  for valid users or write list, Samba would fail to get
>>>>that info from LDAP. They needed to be in /etc/group to work. As soon as
>>>>I added users in secondary groups to /etc/group users were recognized
>>>>and rights were assigned.
>>>>
>>>>As a side note each line of /etc/group is limited to 1024 bytes, so
>>>>there is a limit on how many users you can add to a group using
>>>>/etc/group. If you exceed that when the system scans the /etc/group
>>>>file, it will fail at the line >1024 bytes and any groups below will
>>>>fail to be recognized. I believe that this is a bug. If you do "ls" on a
>>>>directory or "id <username>" where one of the entries in your /etc/group
>>>>has exceeded the limit, the groups will show as numbers and not a group
>>>>name.
>>>>
>>>>
>>>>Can I use pam_winbindd to extract group membership from LDAP at this
>>>>
>>>>time for secondary, tertiary etc groups?
>>>>
>>>>
>>>>
>>>>John H Terpstra wrote:
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>On Wed, 7 Jan 2004, Andrew Judge wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>I think that most of my problems are somewhat resolved except for this last
>>>>>>one.  I can not get domain admin rights to the ntadmins users.  I get the
>>>>>>following output for groupmaps:
>>>>>>
>>>>>>[root at fire2 i386]# net groupmap list
>>>>>>System Operators (S-1-5-32-549) -> -1
>>>>>>Replicators (S-1-5-32-552) -> -1
>>>>>>Guests (S-1-5-32-546) -> -1
>>>>>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
>>>>>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
>>>>>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
>>>>>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
>>>>>>Power Users (S-1-5-32-547) -> -1
>>>>>>Print Operators (S-1-5-32-550) -> -1
>>>>>>Administrators (S-1-5-32-544) -> -1
>>>>>>Account Operators (S-1-5-32-548) -> -1
>>>>>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
>>>>>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
>>>>>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
>>>>>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
>>>>>>Backup Operators (S-1-5-32-551) -> -1
>>>>>>Users (S-1-5-32-545) -> -1
>>>>>>
>>>>>>
>>>>>>Obviously there is a problem with the domain '*' SID because there are
>>>>>>duplicates.  Any idea how to correct this problem and get the users logged
>>>>>>in with admin rights.  I have RH EN v.3 and samba 3.0.0-14.3E from RH.  I
>>>>>>can see the users from the samba server and the users can log in, but no
>>>>>>rights.  Big problem.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>Ok. Roll up your sleeves!
>>>>>
>>>>>I am presuming that you are NOT using and LDAP backend, that you still are
>>>>>using an smbpasswd backend datafile.
>>>>>
>>>>>1. Stop Samba
>>>>>2. Delete the group_mapping.tdb file.
>>>>>3. Restart Samba
>>>>>	- the default Domain Groups will automatically be created if you
>>>>>	  are NOT using LDAP ldapsam.
>>>>>4. Map your groups as follows:
>>>>>
>>>>>net groupmap modify ntgroup="Domain Users" unixgroup=users
>>>>>net groupmap modify ntgroup="Domain Admins" unixgroup=root
>>>>>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>>>>>
>>>>>Add any Domain Groups you may want. Do tie them to existing (manually
>>>>>created UNIX groups) eg:
>>>>>
>>>>>groupadd engineers
>>>>>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
>>>>>
>>>>>groupadd ntadmins
>>>>>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
>>>>>
>>>>>
>>>>>PS: If you have a problem with these commands email me, I'll help you.
>>>>>
>>>>>
>>>>>5. Add all users who should have Domain Admin rights to the UNIX root
>>>>>group in /etc/group, like this:
>>>>>
>>>>>root:0::jht,jimbo,jack,jill
>>>>>
>>>>>
>>>>>6. Add all users who should have Workstation Admin rights (Power Users) to
>>>>>the UNIX ntadmins group in /etc/group, like this:
>>>>>
>>>>>ntadmins:123::maryo,susant,billm
>>>>>
>>>>>
>>>>>7. Verify that the groups are correctly mapped:
>>>>>
>>>>>net groupmap list.
>>>>>
>>>>>
>>>>>8. Now: On every windows client machine add:
>>>>>
>>>>>	a) Domain Admins to the Local Administrators Group
>>>>>	b) Domain Power Users to the Local Power Users Group
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>Now... I migrated from 2.2.3a to the above and I have all the tdb and I
>>>>>>cahnged the SID to the last PDC.  Anyway, how would I get the right SID?  I
>>>>>>have NTUSER.DAT files that I can run profiles against to read them.  Would
>>>>>>that help?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
>>>>>NTUSER.DAT files.
>>>>>
>>>>>To obtain the domain SID just run:
>>>>>
>>>>>	net getlocalsid
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>First one that can point me in the right direction to get this resolved -
>>>>>>I'll buy them a amazon gift cert for $50.  Beats going bald from pulling out
>>>>>>my hair.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>It's a deal man!
>>>>>
>>>>>
>>>>>- John T.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>
>>>>        
>>>>
>>>
>>>      
>>>
>>
>>    
>>
>
>  
>


-- 
_________________________________________________________________

Dr.  Hansjoerg Maurer           | LAN- & System-Manager
                                |
Deutsches Zentrum               | DLR Oberpfaffenhofen
  f. Luft- und Raumfahrt e.V.   |
Institut f. Robotik             |
Postfach 1116                   | Muenchner Strasse 20
82230 Wessling                  | 82234 Wessling
Germany                         |
                                |
Tel: 08153/28-2431              | E-mail: Hansjoerg.Maurer at dlr.de
Fax: 08153/28-1134              | WWW: http://www.robotic.dlr.de/
__________________________________________________________________


There are 10 types of people in this world, 
those who understand binary and those who don't.




More information about the samba mailing list