[Samba] Cannot set a "Domain group" membership with ldapSAM

Angel Galindo Muñoz agalindo at ub.edu
Thu May 13 13:05:48 GMT 2004 

	Hello everybody!

	I should have an error on the LDAP entries of my ldapSAM, but I've read 
several times chapters 11 & 12 of the Samba HOWTO Collection and I 
cannot fix it. Let's explain:



	I've got a StandAlone fileserver (not PDC) samba-3.0.4 with ldapSAM 
working on a RedHat Enterprise 3.0 (linux kernel 2.4.25). The directory 
server version shouldn't be important, but it's a iPlanet Directory 
Server 5.1 .

	The home shares works fine , the users ("Windows 2000 professional" 
clients) authenticate agains the ldapSAM account database. But the 
problem appears when I try to add ACLs to the files: Right click -> 
Security . It's not a filesystem error, the ACLs work with XFS and the 
smb.conf enables it. That dialog-box shows errors:

	If I click on that dialog-box to add extra permissions it complains 
with my credentials , tells that my account hasn't access to the server 
and asks me for other login/password .



	The logs are clear : "primary gid of user [samba4] is not a Domain 
group". It's clear that I haven't set correctly the group membership for 
this account (later there's an ldapsearch result). Surely it's a bad 
group mapping. Let's see the logs:

...
[2004/05/13 14:48:04, 2] lib/access.c:check_access(324)
   Allowed connection from  (161.116.x.y)
[2004/05/13 14:48:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
   init_sam_from_ldap: Entry found for user: samba4
[2004/05/13 14:48:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
   init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:04, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [samba4] -> [samba4] -> 
[samba4] succeeded
...
[2004/05/13 14:48:04, 1] smbd/service.c:make_connection_snum(619)
   vmww2k (161.116.x.y) connect to service samba4 initially as user 
samba4 (uid=1001, gid=1001) (pid 21363)
...
[2004/05/13 14:48:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
   init_sam_from_ldap: Entry found for user: samba4
[2004/05/13 14:48:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
   init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:31, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
   Returning domain sid for domain SAMBAP -> 
S-1-5-21-349043978-4100265039-1442050830
...
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
   ldapsam_setsampwent: 3 entries in the base!
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
   init_group_from_ldap: Entry found for group: 1001
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
   init_group_from_ldap: Entry found for group: 10
[2004/05/13 14:48:31, 2] passdb/pdb_ldap.c:init_group_from_ldap(1792)
   init_group_from_ldap: Entry found for group: 99
[2004/05/13 14:48:31, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
   get_domain_user_groups: primary gid of user [samba4] is not a Domain 
group !
   get_domain_user_groups: You should fix it, NT doesn't like that
...




	Let's show the ldapsearch of this LDAP tree:

################
## CONTAINERS ##
################
version: 1
dn: ou=file, o=ub,c=es
objectClass: top
objectClass: organizationalUnit
ou: file

dn: ou=People, ou=file, o=ub,c=es
objectClass: top
objectClass: organizationalUnit
ou: People

dn: ou=Groups, ou=file, o=ub,c=es
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers, ou=file, o=ub,c=es
ou: Computers
objectClass: top
objectClass: organizationalUnit

######################
## The Server entry ##
######################
dn: sambaDomainName=SAMBAP,ou=file, o=ub, c=es
sambaDomainName: SAMBAP
sambaSID: S-1-5-21-349043978-4100265039-1442050830
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

################
## The GROUPS ##
################
dn: cn=Domain Users, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-513
gidNumber: 1001
sambaGroupType: 5
cn: Domain Users
displayName: Domain Users
description: El grup UNIX d usuaris Samba
memberUid: samba4

dn: cn=Domain Admins, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-512
gidNumber: 10
sambaGroupType: 5
cn: Domain Admins
displayName: Domain Admins
description: Grup UNIX d administradors de Samba amb gid de wheel

dn: cn=Domain Guests, ou=Groups, ou=file, o=ub,c=es
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-349043978-4100265039-1442050830-514
gidNumber: 99
sambaGroupType: 5
cn: Domain Guests
displayName: Domain Guests
description: El grup UNIX de samba nobody amb gid de nobody

##############
## The USER ##
##############
dn: uid=samba4, ou=People, ou=file, o=ub, c=es
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
sambaAcctFlags: [UX         ]
uid: samba4
cn: Usuari samba4
loginShell: /bin/bash
gidNumber: 1001
displayName: Usuari samba4
homeDirectory: /home/samba4
sambaNTPassword: 47592B71CXXXXXXXXXXXXX901B4D1A37
sambaLMPassword: 63F31FE83XXXXXXXXXXXXX35B51404EE
sambaSID: S-1-5-21-349043978-4100265039-1442050830-4001
uidNumber: 1001
sambaPrimaryGroupSID: S-1-5-21-349043978-4100265039-1442050830-513
userPassword: {CRYPT}DmXXXXXXXXXcU




	The group mapping seems also fine:

[root at sambap root]# /opt/samba/bin/net groupmap list
Domain Users (S-1-5-21-349043978-4100265039-1442050830-513) -> Domain Users
Domain Admins (S-1-5-21-349043978-4100265039-1442050830-512) -> wheel
Domain Guests (S-1-5-21-349043978-4100265039-1442050830-514) -> nobody



	I'm sure that the data which fills the ldapSAM is not right. Maybe it's 
a bad group mapping , but I couldn't find anywhere more extense 
documentation and examples about it. Maybe it should be shiped on next 
releases of Samba HOWTO Collection. Of course, if finally I can make it 
work I offer to gather the info to give a complete example of howto 
configure ldapSAM to deploy a Stand-Alone server which could help others.


	Any help would be very appreciated, at list some URLs with more info. I 
offer myself again to collect data and improve the Collection HOWTO once 
it works if it finally does. Thanks in advance.





P.D.: At least would be fine to get some URLs  about my doubts with 
ldapSAM: a complete description of LDAP attributes of the objectClasses 
sambaSamAccount & sambaGroupMapping and their implications. For example, 
I don't know the meaning of sambaGroupType: 2 (domain) and 
sambaGroupType: 5 (local), is needed a guest user and an admin user...


-- 
Angel Galindo Muñoz
agalindo at ub.edu

More information about the samba mailing list