WAS: Re: [Samba] net groupmap / domain admins problem - Amazon
prize
Kent L. Nasveschuk
kent at wareham.k12.ma.us
Fri Jan 9 02:31:07 GMT 2004
John,
I actually did try this out +<groupe name>, I don't believe I could get
it to work. I tryed many variations. I guess I need to experiment more
with how nsswitch.conf and how pam is configured. I'm not real
knowledgeable in this area.
I found an interesting work around for those of you looking for mapping
drives from login scripts based on secondary + groups.
/etc/group
dusers:x:500:
staff:x:680:kent,fred,joe
/etc/passwd
kent:x:4044:500::/accounts/staff/kent:/bin/bash
ksnider:x:4045:500::/accounts/staff/fred:/bin/bash
joe:x:4045:500::/accounts/staff/joe:/bin/bash
Users primary group is dusers 500 but have secondary group staff 680.
In netlogon directory I put directory same name as share for example:
netlogon/staff-files
In the directory put single file secured by directory permissions
example:
netlogon/staff-files/readme
directory permissions on staff-files directory in netlogon (0750)
drwxr-x--- 2 root staff 4096 Jan 7 07:40 staff-files
share is smb.conf:
[staff-files]
comment = Staff Files
path = /accounts/staff/staff-files
valid users = @staff
write list = @staff
In netlogon script reads as follows:
if exist \\SERVERNAME\netlogon\staff-files net use S:
\\SERVERNAME\staff-files
Samba checks local Linux groups and if user is in group he/she is
capable of reading file, drive is mapped.
Of course I wish all this info was in LDAP so I wouldn't have to mess
with local groups but Christmas has gone by and I didn't find this
solution in my stocking.
I can't take any credit for this idea. I found it in a 1999 posting but
it's a temporary fix for something that I believe many of us are
seeking.
Just have to say this stuff is marvelous. I've been utterly frustrated
and amazed at the versatilaty of Samba. Thanks for you support.
On Thu, 2004-01-08 at 03:54, John H Terpstra wrote:
> Hansjoerg,
>
> Instead of:
> valid users = @Groupe
>
> Please try:
> valid users = +Groupe
>
> Thanks.
>
> - John T.
>
>
> On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
>
> > Hi
> >
> > thank you, for your fast replay.
> > I have a user sporer
> > [root at server root]# id -a sporer
> > uid=1000(sporer) gid=1000(sensodrivegroup)
> > Gruppen=1000(sensodrivegroup),1001(managementgroup)
> >
> > The user and the group is in ldap and nss_ldap seems to work..
> > [root at server root]# getent group
> > root:x:0:root
> > ....
> > Domain Admins:x:912:
> > Domain Users:x:913:
> > Domain Guests:x:914:
> > Administrators:x:944:
> > Users:x:945:
> > Guests:x:946:
> > Power Users:x:947:
> > Account Operators:x:948:
> > Server Operators:x:949:
> > Print Operators:x:950:Administrator
> > Backup Operators:x:951:
> > Replicator:x:952:
> > Domain Computers:x:953:
> > sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root
> > managementgroup:x:1001:management,root,haehnle,sporer,sporers
> >
> > I am using
> > [root at server root]# rpm -q nss_ldap
> > nss_ldap-207-3
> >
> > on RH9
> >
> > Within samba I have to shares
> > [Projekte]
> > comment = Sensodrive-Projekte
> > path = /home/sensodrive
> > force group = sensodrivegroup
> > force user = sensodrive
> > valid users = @sensodrivegroup,root
> >
> > [Management]
> > comment = Sensodrive-Management
> > path = /home/management
> > force group = managementgroup
> > force user = management
> > valid users = @managementgroup,root
> >
> > Every user can access the Projekte share, because the primary group of
> > every user is sensodrivegroup.
> > When user sporer tries to acess the Management share, he gets
> > user 'sporer' (from session setup) not permitted to access this share
> > (Management)
> >
> > If I add the user sporer by his username to valid users it works
> > valid users = @managementgroup,root,sporer,haehnle,sporers
> >
> > Maybe this helps to solve the problem
> > If you need more information, or further testing give me a note
> >
> > Thank you very much
> >
> > Greetings
> >
> > Hansjörg
> >
> >
> >
> >
> > John H Terpstra wrote:
> >
> > >On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
> > >
> > >
> > >
> > >>Hi
> > >>
> > >>i have a question related to the groupmapping with ldapsam as backend.
> > >>You discribed, that groupentries have to be in /etc/group with tdbsam as
> > >>backend.
> > >>
> > >>I recognized, that samba 3,0.1 with ldapsam does not recognize secondary
> > >>groups in ldap.
> > >>(e.g for accessing a share)
> > >>
> > >>The problem is described by kent at wareham.k12.ma.us to (see his email
> > >>attached).
> > >>
> > >>Do secondary groups have to be in /etc/groups in order to be recognized
> > >>by samba even with ldapsam?
> > >>
> > >>
> > >
> > >Whether or not this will work depends on how you configure ID resolution.
> > >
> > >Winbind apparently does not resolve secondary group membership.
> > >
> > >On the other hand, if you configure LDAP based ID resolution via the name
> > >service switcher (NSS) for both users and groups then secondary group
> > >membership resolution seems to work ok. The Posix user account should be
> > >in the LDAP database. You can then add users to multiple groups either in
> > >/etc/group or in the LDAP groups container.
> > >
> > >How did you configure /etc/nsswitch.conf?
> > >
> > >What does 'getent group' and 'getent passwd' show?
> > >
> > >If you have a user who is a member of mulitple secondary groups and you
> > >execute:
> > > id 'username'
> > >
> > >What does this report for that user?
> > >
> > >If LDAP based resolution of multiple group membership fails that is
> > >something that must be reported to PADL, the authors of nss_ldap.
> > >
> > >On the test systems I used to create the environments I used to create the
> > >example files for the new "Samba-3 by Example" book, I compiled nss_ldap
> > >version 212 and found that to work fine with multiple groups.
> > >
> > >Is this what you tried also?
> > >
> > >Cheers,
> > >John T.
> > >
> > >
> > >
> > >
> > >>Thank you very much
> > >>
> > >>Hansjörg
> > >>
> > >>
> > >>Hello,
> > >>I found an interesting thing that I don't know if it is a bug, by design
> > >>or I need to be doing something that I'm not but here goes.
> > >>
> > >>My system
> > >>RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
> > >>(3) BDC with LDAP slave backend. All are Samba 3.0.
> > >>
> > >>I had a probelem with secondary, tertiary etc groups that people belong
> > >>to and Samba recognizing these groups if they were stored in LDAP. The
> > >>primary group was no problem. When I created shares but used
> > >>"@groupname" for valid users or write list, Samba would fail to get
> > >>that info from LDAP. They needed to be in /etc/group to work. As soon as
> > >>I added users in secondary groups to /etc/group users were recognized
> > >>and rights were assigned.
> > >>
> > >>As a side note each line of /etc/group is limited to 1024 bytes, so
> > >>there is a limit on how many users you can add to a group using
> > >>/etc/group. If you exceed that when the system scans the /etc/group
> > >>file, it will fail at the line >1024 bytes and any groups below will
> > >>fail to be recognized. I believe that this is a bug. If you do "ls" on a
> > >>directory or "id <username>" where one of the entries in your /etc/group
> > >>has exceeded the limit, the groups will show as numbers and not a group
> > >>name.
> > >>
> > >>
> > >>Can I use pam_winbindd to extract group membership from LDAP at this
> > >>
> > >>time for secondary, tertiary etc groups?
> > >>
> > >>
> > >>
> > >>John H Terpstra wrote:
> > >>
> > >>
> > >>
> > >>>On Wed, 7 Jan 2004, Andrew Judge wrote:
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>>I think that most of my problems are somewhat resolved except for this last
> > >>>>one. I can not get domain admin rights to the ntadmins users. I get the
> > >>>>following output for groupmaps:
> > >>>>
> > >>>>[root at fire2 i386]# net groupmap list
> > >>>>System Operators (S-1-5-32-549) -> -1
> > >>>>Replicators (S-1-5-32-552) -> -1
> > >>>>Guests (S-1-5-32-546) -> -1
> > >>>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
> > >>>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
> > >>>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
> > >>>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
> > >>>>Power Users (S-1-5-32-547) -> -1
> > >>>>Print Operators (S-1-5-32-550) -> -1
> > >>>>Administrators (S-1-5-32-544) -> -1
> > >>>>Account Operators (S-1-5-32-548) -> -1
> > >>>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
> > >>>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
> > >>>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
> > >>>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
> > >>>>Backup Operators (S-1-5-32-551) -> -1
> > >>>>Users (S-1-5-32-545) -> -1
> > >>>>
> > >>>>
> > >>>>Obviously there is a problem with the domain '*' SID because there are
> > >>>>duplicates. Any idea how to correct this problem and get the users logged
> > >>>>in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I
> > >>>>can see the users from the samba server and the users can log in, but no
> > >>>>rights. Big problem.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>Ok. Roll up your sleeves!
> > >>>
> > >>>I am presuming that you are NOT using and LDAP backend, that you still are
> > >>>using an smbpasswd backend datafile.
> > >>>
> > >>>1. Stop Samba
> > >>>2. Delete the group_mapping.tdb file.
> > >>>3. Restart Samba
> > >>> - the default Domain Groups will automatically be created if you
> > >>> are NOT using LDAP ldapsam.
> > >>>4. Map your groups as follows:
> > >>>
> > >>>net groupmap modify ntgroup="Domain Users" unixgroup=users
> > >>>net groupmap modify ntgroup="Domain Admins" unixgroup=root
> > >>>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
> > >>>
> > >>>Add any Domain Groups you may want. Do tie them to existing (manually
> > >>>created UNIX groups) eg:
> > >>>
> > >>>groupadd engineers
> > >>>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
> > >>>
> > >>>groupadd ntadmins
> > >>>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
> > >>>
> > >>>
> > >>>PS: If you have a problem with these commands email me, I'll help you.
> > >>>
> > >>>
> > >>>5. Add all users who should have Domain Admin rights to the UNIX root
> > >>>group in /etc/group, like this:
> > >>>
> > >>>root:0::jht,jimbo,jack,jill
> > >>>
> > >>>
> > >>>6. Add all users who should have Workstation Admin rights (Power Users) to
> > >>>the UNIX ntadmins group in /etc/group, like this:
> > >>>
> > >>>ntadmins:123::maryo,susant,billm
> > >>>
> > >>>
> > >>>7. Verify that the groups are correctly mapped:
> > >>>
> > >>>net groupmap list.
> > >>>
> > >>>
> > >>>8. Now: On every windows client machine add:
> > >>>
> > >>> a) Domain Admins to the Local Administrators Group
> > >>> b) Domain Power Users to the Local Power Users Group
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>>Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> > >>>>cahnged the SID to the last PDC. Anyway, how would I get the right SID? I
> > >>>>have NTUSER.DAT files that I can run profiles against to read them. Would
> > >>>>that help?
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
> > >>>NTUSER.DAT files.
> > >>>
> > >>>To obtain the domain SID just run:
> > >>>
> > >>> net getlocalsid
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>>First one that can point me in the right direction to get this resolved -
> > >>>>I'll buy them a amazon gift cert for $50. Beats going bald from pulling out
> > >>>>my hair.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>It's a deal man!
> > >>>
> > >>>
> > >>>- John T.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> >
>
> --
> John H Terpstra
> Email: jht at samba.org
--
Kent
nasve525 at regis.edu
kent at wareham.k12.ma.us
Tips:---------------------------------------------->
"OpenOffice.org ... Stops Word macro viruses DEAD!"
"Postgresql.org ... Don't 'kill -9' the postmaster"
"Technology is legislation - C. Einfeldt on OO.o discuss list"
More information about the samba
mailing list