WAS: Re: [Samba] net groupmap / domain admins problem

Dr. Hansjoerg Maurer Hansjoerg.Maurer at itsd.de
Thu Jan 8 21:08:08 GMT 2004


Hi,

I also deleted my /var/lib/samba/group_mapping.tdb
as you suggested in your mail before
(I am using ldapsam, but I was afraid that there might be something left
after the installation)
But unfortunatly it does not work.

My groupmap seems to be ok

ok time for going to sleep :)

greetings from munich

hansjörg

[root at server root]# net groupmap list
Domain Admins (S-1-5-21-3723159834-3326906825-3408399175-512) -> Domain
Admins
Domain Users (S-1-5-21-3723159834-3326906825-3408399175-513) -> Domain Users
Domain Guests (S-1-5-21-3723159834-3326906825-3408399175-514) -> Domain
Guests
Administrators (S-1-5-21-3723159834-3326906825-3408399175-544) ->
Administrators
Users (S-1-5-21-3723159834-3326906825-3408399175-545) -> Users
Guests (S-1-5-21-3723159834-3326906825-3408399175-546) -> Guests
Power Users (S-1-5-21-3723159834-3326906825-3408399175-547) -> Power Users
Account Operators (S-1-5-21-3723159834-3326906825-3408399175-548) ->
Account Operators
Server Operators (S-1-5-21-3723159834-3326906825-3408399175-549) -> Server
Operators
Print Operators (S-1-5-21-3723159834-3326906825-3408399175-550) -> Print
Operators
Backup Operators (S-1-5-21-3723159834-3326906825-3408399175-551) -> Backup
Operators
Replicators (S-1-5-21-3723159834-3326906825-3408399175-552) -> Replicator
Domain Computers (S-1-5-21-3723159834-3326906825-3408399175-553) -> Domain
Computers
sensodrivegroup (S-1-5-21-3723159834-3326906825-3408399175-3001) ->
sensodrivegroup
Managementgroup (S-1-5-21-3723159834-3326906825-3408399175-3003) ->
managementgroup

H

Hansjoerg Maurer sagte:
> Hi
>
> i switched to
>    valid users = +managementgroup
>
> and still get
>
> 2004/01/08 10:46:52, 2] lib/access.c:check_access(324)
>   Allowed connection from  (192.168.1.100)
> [2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391)
>   user 'sporer' (from session setup) not permitted to access this share
> (test)
> [2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/reply.c(286) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
>
> (changed thename of the share to test to avoid a naming conflict with
> user managment)
>
> [root at server root]# smbclient -U sporer \\\\LINA\\test
> Password:
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> [root at server root]# smbclient -U sporer \\\\LINA\\sporer
> Password:
> smb: \>
>
> [root at server root]# smbclient -U sporer \\\\LINA\\projekte-share
> Password:
> smb: \>
>
> With the share, wher sporer has the primary group in, it still works
> with the +sensodrivegroup
>
> Thank you
>
> Hansjörg
>
>
>
>
> John H Terpstra wrote:
>
>>Hansjoerg,
>>
>>Instead of:
>>	valid users = @Groupe
>>
>>Please try:
>>	valid users = +Groupe
>>
>>Thanks.
>>
>>- John T.
>>
>>
>>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>>
>>
>>
>>>Hi
>>>
>>>thank you, for your fast replay.
>>>I have a user sporer
>>>[root at server root]# id -a sporer
>>>uid=1000(sporer) gid=1000(sensodrivegroup)
>>>Gruppen=1000(sensodrivegroup),1001(managementgroup)
>>>
>>>The user and the group is in ldap and nss_ldap seems to work..
>>>[root at server root]# getent group
>>>root:x:0:root
>>>....
>>>Domain Admins:x:912:
>>>Domain Users:x:913:
>>>Domain Guests:x:914:
>>>Administrators:x:944:
>>>Users:x:945:
>>>Guests:x:946:
>>>Power Users:x:947:
>>>Account Operators:x:948:
>>>Server Operators:x:949:
>>>Print Operators:x:950:Administrator
>>>Backup Operators:x:951:
>>>Replicator:x:952:
>>>Domain Computers:x:953:
>>>sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
>>>managementgroup:x:1001:management,root,haehnle,sporer,sporers
>>>
>>>I am using
>>>[root at server root]# rpm -q nss_ldap
>>>nss_ldap-207-3
>>>
>>>on RH9
>>>
>>>Within samba I have to shares
>>>[Projekte]
>>>   comment = Sensodrive-Projekte
>>>   path = /home/sensodrive
>>>   force group = sensodrivegroup
>>>   force user = sensodrive
>>>   valid users = @sensodrivegroup,root
>>>
>>>[Management]
>>>   comment = Sensodrive-Management
>>>   path = /home/management
>>>   force group = managementgroup
>>>   force user = management
>>>   valid users = @managementgroup,root
>>>
>>>Every user can access the Projekte share, because the primary  group of
>>>every user is sensodrivegroup.
>>>When user sporer tries to acess the Management share, he gets
>>> user 'sporer' (from session setup) not permitted to access this share
>>>(Management)
>>>
>>>If I add the user sporer by his username to valid users it works
>>>   valid users = @managementgroup,root,sporer,haehnle,sporers
>>>
>>>Maybe this helps to solve the problem
>>>If you need more information, or further testing give me a note
>>>
>>>Thank you very much
>>>
>>>Greetings
>>>
>>>Hansjörg
>>>
>>>
>>>
>>>
>>>John H Terpstra wrote:
>>>
>>>
>>>
>>>>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi
>>>>>
>>>>>i have a question related to the groupmapping with ldapsam as backend.
>>>>>You discribed, that groupentries have to be in /etc/group with tdbsam
>>>>> as
>>>>>backend.
>>>>>
>>>>>I recognized, that samba 3,0.1 with ldapsam does not recognize
>>>>> secondary
>>>>>groups in ldap.
>>>>>(e.g for accessing a share)
>>>>>
>>>>>The problem is described by  kent at wareham.k12.ma.us to (see his email
>>>>>attached).
>>>>>
>>>>>Do secondary groups have to be in /etc/groups in order to be
>>>>> recognized
>>>>>by samba even with ldapsam?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Whether or not this will work depends on how you configure ID
>>>> resolution.
>>>>
>>>>Winbind apparently does not resolve secondary group membership.
>>>>
>>>>On the other hand, if you configure LDAP based ID resolution via the
>>>> name
>>>>service switcher (NSS) for both users and groups then secondary group
>>>>membership resolution seems to work ok. The Posix user account should
>>>> be
>>>>in the LDAP database. You can then add users to multiple groups either
>>>> in
>>>>/etc/group or in the LDAP groups container.
>>>>
>>>>How did you configure /etc/nsswitch.conf?
>>>>
>>>>What does 'getent group' and 'getent passwd' show?
>>>>
>>>>If you have a user who is a member of mulitple secondary groups and you
>>>>execute:
>>>>	id 'username'
>>>>
>>>>What does this report for that user?
>>>>
>>>>If LDAP based resolution of multiple group membership fails that is
>>>>something that must be reported to PADL, the authors of nss_ldap.
>>>>
>>>>On the test systems I used to create the environments I used to create
>>>> the
>>>>example files for the new "Samba-3 by Example" book, I compiled
>>>> nss_ldap
>>>>version 212 and found that to work fine with multiple groups.
>>>>
>>>>Is this what you tried also?
>>>>
>>>>Cheers,
>>>>John T.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Thank you very much
>>>>>
>>>>>Hansjörg
>>>>>
>>>>>
>>>>>Hello,
>>>>>I found an interesting thing that I don't know if it is a bug, by
>>>>> design
>>>>>or I need to be doing something that I'm not but here goes.
>>>>>
>>>>>My system
>>>>>RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
>>>>>(3) BDC with LDAP slave backend. All are Samba 3.0.
>>>>>
>>>>>I had a probelem with secondary, tertiary etc groups that people
>>>>> belong
>>>>>to and Samba recognizing these groups if they were stored in LDAP. The
>>>>>primary group was no problem. When I created shares but used
>>>>>"@groupname"  for valid users or write list, Samba would fail to get
>>>>>that info from LDAP. They needed to be in /etc/group to work. As soon
>>>>> as
>>>>>I added users in secondary groups to /etc/group users were recognized
>>>>>and rights were assigned.
>>>>>
>>>>>As a side note each line of /etc/group is limited to 1024 bytes, so
>>>>>there is a limit on how many users you can add to a group using
>>>>>/etc/group. If you exceed that when the system scans the /etc/group
>>>>>file, it will fail at the line >1024 bytes and any groups below will
>>>>>fail to be recognized. I believe that this is a bug. If you do "ls" on
>>>>> a
>>>>>directory or "id <username>" where one of the entries in your
>>>>> /etc/group
>>>>>has exceeded the limit, the groups will show as numbers and not a
>>>>> group
>>>>>name.
>>>>>
>>>>>
>>>>>Can I use pam_winbindd to extract group membership from LDAP at this
>>>>>
>>>>>time for secondary, tertiary etc groups?
>>>>>
>>>>>
>>>>>
>>>>>John H Terpstra wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>On Wed, 7 Jan 2004, Andrew Judge wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>I think that most of my problems are somewhat resolved except for
>>>>>>> this last
>>>>>>>one.  I can not get domain admin rights to the ntadmins users.  I
>>>>>>> get the
>>>>>>>following output for groupmaps:
>>>>>>>
>>>>>>>[root at fire2 i386]# net groupmap list
>>>>>>>System Operators (S-1-5-32-549) -> -1
>>>>>>>Replicators (S-1-5-32-552) -> -1
>>>>>>>Guests (S-1-5-32-546) -> -1
>>>>>>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) ->
>>>>>>> users
>>>>>>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
>>>>>>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
>>>>>>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
>>>>>>>Power Users (S-1-5-32-547) -> -1
>>>>>>>Print Operators (S-1-5-32-550) -> -1
>>>>>>>Administrators (S-1-5-32-544) -> -1
>>>>>>>Account Operators (S-1-5-32-548) -> -1
>>>>>>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) ->
>>>>>>> ntadmins
>>>>>>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
>>>>>>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
>>>>>>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
>>>>>>>Backup Operators (S-1-5-32-551) -> -1
>>>>>>>Users (S-1-5-32-545) -> -1
>>>>>>>
>>>>>>>
>>>>>>>Obviously there is a problem with the domain '*' SID because there
>>>>>>> are
>>>>>>>duplicates.  Any idea how to correct this problem and get the users
>>>>>>> logged
>>>>>>>in with admin rights.  I have RH EN v.3 and samba 3.0.0-14.3E from
>>>>>>> RH.  I
>>>>>>>can see the users from the samba server and the users can log in,
>>>>>>> but no
>>>>>>>rights.  Big problem.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>Ok. Roll up your sleeves!
>>>>>>
>>>>>>I am presuming that you are NOT using and LDAP backend, that you
>>>>>> still are
>>>>>>using an smbpasswd backend datafile.
>>>>>>
>>>>>>1. Stop Samba
>>>>>>2. Delete the group_mapping.tdb file.
>>>>>>3. Restart Samba
>>>>>>	- the default Domain Groups will automatically be created if you
>>>>>>	  are NOT using LDAP ldapsam.
>>>>>>4. Map your groups as follows:
>>>>>>
>>>>>>net groupmap modify ntgroup="Domain Users" unixgroup=users
>>>>>>net groupmap modify ntgroup="Domain Admins" unixgroup=root
>>>>>>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>>>>>>
>>>>>>Add any Domain Groups you may want. Do tie them to existing (manually
>>>>>>created UNIX groups) eg:
>>>>>>
>>>>>>groupadd engineers
>>>>>>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers
>>>>>> type=d
>>>>>>
>>>>>>groupadd ntadmins
>>>>>>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins
>>>>>> type=d
>>>>>>
>>>>>>
>>>>>>PS: If you have a problem with these commands email me, I'll help
>>>>>> you.
>>>>>>
>>>>>>
>>>>>>5. Add all users who should have Domain Admin rights to the UNIX root
>>>>>>group in /etc/group, like this:
>>>>>>
>>>>>>root:0::jht,jimbo,jack,jill
>>>>>>
>>>>>>
>>>>>>6. Add all users who should have Workstation Admin rights (Power
>>>>>> Users) to
>>>>>>the UNIX ntadmins group in /etc/group, like this:
>>>>>>
>>>>>>ntadmins:123::maryo,susant,billm
>>>>>>
>>>>>>
>>>>>>7. Verify that the groups are correctly mapped:
>>>>>>
>>>>>>net groupmap list.
>>>>>>
>>>>>>
>>>>>>8. Now: On every windows client machine add:
>>>>>>
>>>>>>	a) Domain Admins to the Local Administrators Group
>>>>>>	b) Domain Power Users to the Local Power Users Group
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Now... I migrated from 2.2.3a to the above and I have all the tdb
>>>>>>> and I
>>>>>>>cahnged the SID to the last PDC.  Anyway, how would I get the right
>>>>>>> SID?  I
>>>>>>>have NTUSER.DAT files that I can run profiles against to read them.
>>>>>>> Would
>>>>>>>that help?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
>>>>>>NTUSER.DAT files.
>>>>>>
>>>>>>To obtain the domain SID just run:
>>>>>>
>>>>>>	net getlocalsid
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>First one that can point me in the right direction to get this
>>>>>>> resolved -
>>>>>>>I'll buy them a amazon gift cert for $50.  Beats going bald from
>>>>>>> pulling out
>>>>>>>my hair.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>It's a deal man!
>>>>>>
>>>>>>
>>>>>>- John T.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
> --
> _________________________________________________________________
>
> Dr.  Hansjoerg Maurer           | LAN- & System-Manager
>                                 |
> Deutsches Zentrum               | DLR Oberpfaffenhofen
>   f. Luft- und Raumfahrt e.V.   |
> Institut f. Robotik             |
> Postfach 1116                   | Muenchner Strasse 20
> 82230 Wessling                  | 82234 Wessling
> Germany                         |
>                                 |
> Tel: 08153/28-2431              | E-mail: Hansjoerg.Maurer at dlr.de
> Fax: 08153/28-1134              | WWW: http://www.robotic.dlr.de/
> __________________________________________________________________
>
>
> There are 10 types of people in this world,
> those who understand binary and those who don't.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>


-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstr. 10
D-80335 München
Ph/Fax +49 89 52 04 68-41/-59


More information about the samba mailing list