[Samba] Samba cannot find group in ADS

Kay Obermueller KObermueller at t-online.de
Mon Nov 15 11:47:27 GMT 2004 

Kay Obermueller wrote:

> Hello everybody,
> I have a Samba 3.0.7-Debian setup and joined a W2k ADS-domain. A User 
> is put in "SambaUsers" as his primary primary group. I can create 
> files from XP client that belong to user in "SambaUsers" The user is 
> successfully authenticated by samba and can access his profile. I want 
> him to be able to access the share "p" on samba. Without "valid users" 
> set for the share this is possible. If I try to limit access to 
> "SambaUsers", this group isn't found by samba in the domain.
> Shall I have a closer look on winbind?
> Who can help me have a good sunday?
> :)
>
> Kay
>
>
> testparm:
>
> # Global parameters
> [global]
>        unix charset = UTF8
>        display charset = UTF8
>        workgroup = LIHH
>        realm = LIHH.LOC
>        server string = %h server (Samba %v)
>        security = ADS
>        password server = liba.lihh.loc
>        log level = 3 passdb:5 auth:10 winbind:5
>        syslog = 0
>        log file = /var/log/samba/log.%m
>        max log size = 1000
>        domain master = No
>        dns proxy = No
>        wins server = 10.1.1.3
>        ldap ssl = no
>        panic action = /usr/share/samba/panic-action %d
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        template primary group = sambausers
>        template shell = /bin/bash
>        winbind separator = +
>        winbind use default domain = Yes
>
> [homes]
>        comment = Home Directories
>        create mask = 0700
>        directory mask = 0700
>        browseable = No
>
> [p]
>        comment = Documents
>        path = /home/samba/p
>        valid users = @LIHH\SambaUsers
>        read only = No
>        create mask = 0750
>
> [profiles]
>        comment = Documents
>        path = /home/samba/profiles
>        read only = No
>        create mask = 0750
>
>
>
> The groups on the DC:
>
> morgane:/etc/samba# wbinfo -g
> BUILTIN+System Operators
> BUILTIN+Replicators
> BUILTIN+Guests
> BUILTIN+Power Users
> BUILTIN+Print Operators
> BUILTIN+Administrators
> BUILTIN+Account Operators
> BUILTIN+Backup Operators
> BUILTIN+Users
> Domänencomputer
> Domänen-Gäste
> Zertifikatherausgeber
> Organisations-Admins
> Schema-Admins
> Domänencontroller
> Domänen-Benutzer
> Domänen-Admins
> Richtlinien-Ersteller-Besitzer
> DnsUpdateProxy
> SambaUsers
>
>
>
> Groupmap on samba machine:
>
> morgane:/etc/samba# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-788693271-928550680-3704065133-514) -> nobody
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domänen-Benutzer (S-1-5-21-788693271-928550680-3704065133-1201) -> users
> Domain Admins (S-1-5-21-788693271-928550680-3704065133-512) -> root
> SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> Domain Users (S-1-5-21-788693271-928550680-3704065133-513) -> -1
>
>
>
> The suspicious output of /var/log/samba/log.winbindd:
>
> [2004/11/14 04:28:05, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>  group LIHH\SambaUsers in domain LIHH does not exist
> [2004/11/14 04:28:06, 3] libads/ads_ldap.c:ads_sid_to_dn(222)
>  ads sid_to_dn mapped CN=Pentium,CN=Computers,DC=lihh,DC=loc
> [2004/11/14 04:28:06, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>  group LIHH\SambaUsers in domain LIHH does not exist
> [2004/11/14 04:28:14, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>  group LIHH\SambaUsers in domain LIHH does not exist
> [2004/11/14 04:28:15, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>  group LIHH\SambaUsers in domain LIHH does not exist
>
>
>
> Then of course in /var/log/samba/log.<ip_number> I get:
>
> [2004/11/14 04:28:15, 2] smbd/service.c:make_connection_snum(314)
>  user 'LIHH+User.Name' (from session setup) not permitted to access 
> this share (p)
> [2004/11/14 04:28:15, 3] smbd/error.c:error_packet(129)
>  error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
> NT_STATUS_ACCESS_DENIED
>

Hello everybody,
for my problem of not finding "SambaUsers" I found something odd:


grep 10032 /etc/group
sambausers:x:10032:


wbinfo -G 10032
S-1-5-32-552


net groupmap list
Replicators (S-1-5-32-552) -> -1

SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers


Somehow the unix group "sambausers" matches "Replicators" on windows 
instead of "SambaUsers".
Why is this? Or better how to correct this?

Kay

More information about the samba mailing list