[Samba] Samba cannot find group in ADS
Kay Obermueller
KObermueller at t-online.de
Sun Nov 14 12:49:25 GMT 2004
Hello everybody,
I have a Samba 3.0.7-Debian setup and joined a W2k ADS-domain. A User is
put in "SambaUsers" as his primary primary group. I can create files
from XP client that belong to user in "SambaUsers" The user is
successfully authenticated by samba and can access his profile. I want
him to be able to access the share "p" on samba. Without "valid users"
set for the share this is possible. If I try to limit access to
"SambaUsers", this group isn't found by samba in the domain.
Shall I have a closer look on winbind?
Who can help me have a good sunday?
:)
Kay
testparm:
# Global parameters
[global]
unix charset = UTF8
display charset = UTF8
workgroup = LIHH
realm = LIHH.LOC
server string = %h server (Samba %v)
security = ADS
password server = liba.lihh.loc
log level = 3 passdb:5 auth:10 winbind:5
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
domain master = No
dns proxy = No
wins server = 10.1.1.3
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = sambausers
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
[p]
comment = Documents
path = /home/samba/p
valid users = @LIHH\SambaUsers
read only = No
create mask = 0750
[profiles]
comment = Documents
path = /home/samba/profiles
read only = No
create mask = 0750
The groups on the DC:
morgane:/etc/samba# wbinfo -g
BUILTIN+System Operators
BUILTIN+Replicators
BUILTIN+Guests
BUILTIN+Power Users
BUILTIN+Print Operators
BUILTIN+Administrators
BUILTIN+Account Operators
BUILTIN+Backup Operators
BUILTIN+Users
Domänencomputer
Domänen-Gäste
Zertifikatherausgeber
Organisations-Admins
Schema-Admins
Domänencontroller
Domänen-Benutzer
Domänen-Admins
Richtlinien-Ersteller-Besitzer
DnsUpdateProxy
SambaUsers
Groupmap on samba machine:
morgane:/etc/samba# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-788693271-928550680-3704065133-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domänen-Benutzer (S-1-5-21-788693271-928550680-3704065133-1201) -> users
Domain Admins (S-1-5-21-788693271-928550680-3704065133-512) -> root
SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Users (S-1-5-21-788693271-928550680-3704065133-513) -> -1
The suspicious output of /var/log/samba/log.winbindd:
[2004/11/14 04:28:05, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
group LIHH\SambaUsers in domain LIHH does not exist
[2004/11/14 04:28:06, 3] libads/ads_ldap.c:ads_sid_to_dn(222)
ads sid_to_dn mapped CN=Pentium,CN=Computers,DC=lihh,DC=loc
[2004/11/14 04:28:06, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
group LIHH\SambaUsers in domain LIHH does not exist
[2004/11/14 04:28:14, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
group LIHH\SambaUsers in domain LIHH does not exist
[2004/11/14 04:28:15, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
group LIHH\SambaUsers in domain LIHH does not exist
Then of course in /var/log/samba/log.<ip_number> I get:
[2004/11/14 04:28:15, 2] smbd/service.c:make_connection_snum(314)
user 'LIHH+User.Name' (from session setup) not permitted to access
this share (p)
[2004/11/14 04:28:15, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
More information about the samba
mailing list