[Samba] Cannot set a "Domain group" membership with ldapSAM
Angel Galindo Muñoz
agalindo at ub.edu
Thu May 13 13:05:48 GMT 2004
Hello everybody!
I should have an error on the LDAP entries of my ldapSAM, but I've read
several times chapters 11 & 12 of the Samba HOWTO Collection and I
cannot fix it. Let's explain:
I've got a StandAlone fileserver (not PDC) samba-3.0.4 with ldapSAM
working on a RedHat Enterprise 3.0 (linux kernel 2.4.25). The directory
server version shouldn't be important, but it's a iPlanet Directory
Server 5.1 .
The home shares works fine , the users ("Windows 2000 professional"
clients) authenticate agains the ldapSAM account database. But the
problem appears when I try to add ACLs to the files: Right click ->
Security . It's not a filesystem error, the ACLs work with XFS and the
smb.conf enables it. That dialog-box shows errors:
If I click on that dialog-box to add extra permissions it complains
with my credentials , tells that my account hasn't access to the server
and asks me for other login/password .
The logs are clear : "primary gid of user [samba4] is not a Domain
group". It's clear that I haven't set correctly the group membership for
this account (later there's an ldapsearch result). Surely it's a bad
group mapping. Let's see the logs:
...
[2004/05/13 14:48:04, 2] lib/access.c:check_access(324)
Allowed connection from (161.116.x.y)
[2004/05/13 14:48:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
init_sam_from_ldap: Entry found for user: samba4
[2004/05/13 14:48:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:04, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [samba4] -> [samba4] ->
[samba4] succeeded
...
[2004/05/13 14:48:04, 1] smbd/service.c:make_connection_snum(619)
vmww2k (161.116.x.y) connect to service samba4 initially as user
samba4 (uid=1001, gid=1001) (pid 21363)
...
[2004/05/13 14:48:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
init_sam_from_ldap: Entry found for user: samba4
[2004/05/13 14:48:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:31, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
Returning domain sid for domain SAMBAP ->
S-1-5-21-349043978-4100265039-1442050830
...
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
ldapsam_setsampwent: 3 entries in the base!
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
init_group_from_ldap: Entry found for group: 10
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
init_group_from_ldap: Entry found for group: 99
[2004/05/13 14:48:31, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [samba4] is not a Domain
group !
get_domain_user_groups: You should fix it, NT doesn't like that
...
Let's show the ldapsearch of this LDAP tree:
################
## CONTAINERS ##
################
version: 1
dn: ou=file, o=ub,c=es
objectClass: top
objectClass: organizationalUnit
ou: file
dn: ou=People, ou=file, o=ub,c=es
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups, ou=file, o=ub,c=es
ou: Groups
objectClass: top
objectClass: organizationalUnit
dn: ou=Computers, ou=file, o=ub,c=es
ou: Computers
objectClass: top
objectClass: organizationalUnit
######################
## The Server entry ##
######################
dn: sambaDomainName=SAMBAP,ou=file, o=ub, c=es
sambaDomainName: SAMBAP
sambaSID: S-1-5-21-349043978-4100265039-1442050830
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
################
## The GROUPS ##
################
dn: cn=Domain Users, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-513
gidNumber: 1001
sambaGroupType: 5
cn: Domain Users
displayName: Domain Users
description: El grup UNIX d usuaris Samba
memberUid: samba4
dn: cn=Domain Admins, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-512
gidNumber: 10
sambaGroupType: 5
cn: Domain Admins
displayName: Domain Admins
description: Grup UNIX d administradors de Samba amb gid de wheel
dn: cn=Domain Guests, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-514
gidNumber: 99
sambaGroupType: 5
cn: Domain Guests
displayName: Domain Guests
description: El grup UNIX de samba nobody amb gid de nobody
##############
## The USER ##
##############
dn: uid=samba4, ou=People, ou=file, o=ub, c=es
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
sambaAcctFlags: [UX ]
uid: samba4
cn: Usuari samba4
loginShell: /bin/bash
gidNumber: 1001
displayName: Usuari samba4
homeDirectory: /home/samba4
sambaNTPassword: 47592B71CXXXXXXXXXXXXX901B4D1A37
sambaLMPassword: 63F31FE83XXXXXXXXXXXXX35B51404EE
sambaSID: S-1-5-21-349043978-4100265039-1442050830-4001
uidNumber: 1001
sambaPrimaryGroupSID: S-1-5-21-349043978-4100265039-1442050830-513
userPassword: {CRYPT}DmXXXXXXXXXcU
The group mapping seems also fine:
[root at sambap root]# /opt/samba/bin/net groupmap list
Domain Users (S-1-5-21-349043978-4100265039-1442050830-513) -> Domain Users
Domain Admins (S-1-5-21-349043978-4100265039-1442050830-512) -> wheel
Domain Guests (S-1-5-21-349043978-4100265039-1442050830-514) -> nobody
I'm sure that the data which fills the ldapSAM is not right. Maybe it's
a bad group mapping , but I couldn't find anywhere more extense
documentation and examples about it. Maybe it should be shiped on next
releases of Samba HOWTO Collection. Of course, if finally I can make it
work I offer to gather the info to give a complete example of howto
configure ldapSAM to deploy a Stand-Alone server which could help others.
Any help would be very appreciated, at list some URLs with more info. I
offer myself again to collect data and improve the Collection HOWTO once
it works if it finally does. Thanks in advance.
P.D.: At least would be fine to get some URLs about my doubts with
ldapSAM: a complete description of LDAP attributes of the objectClasses
sambaSamAccount & sambaGroupMapping and their implications. For example,
I don't know the meaning of sambaGroupType: 2 (domain) and
sambaGroupType: 5 (local), is needed a guest user and an admin user...
--
Angel Galindo Muñoz
agalindo at ub.edu
More information about the samba
mailing list