[Samba] Samba cannot find group in ADS
Kay Obermueller
KObermueller at t-online.de
Mon Nov 15 16:51:50 GMT 2004
Kay Obermueller wrote:
> Kay Obermueller wrote:
>
>> Hello everybody,
>> I have a Samba 3.0.7-Debian setup and joined a W2k ADS-domain. A User
>> is put in "SambaUsers" as his primary primary group. I can create
>> files from XP client that belong to user in "SambaUsers" The user is
>> successfully authenticated by samba and can access his profile. I
>> want him to be able to access the share "p" on samba. Without "valid
>> users" set for the share this is possible. If I try to limit access
>> to "SambaUsers", this group isn't found by samba in the domain.
>> Shall I have a closer look on winbind?
>> Who can help me have a good sunday?
>> :)
>>
>> Kay
>>
>>
>> testparm:
>>
>> # Global parameters
>> [global]
>> unix charset = UTF8
>> display charset = UTF8
>> workgroup = LIHH
>> realm = LIHH.LOC
>> server string = %h server (Samba %v)
>> security = ADS
>> password server = liba.lihh.loc
>> log level = 3 passdb:5 auth:10 winbind:5
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> domain master = No
>> dns proxy = No
>> wins server = 10.1.1.3
>> ldap ssl = no
>> panic action = /usr/share/samba/panic-action %d
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template primary group = sambausers
>> template shell = /bin/bash
>> winbind separator = +
>> winbind use default domain = Yes
>>
>> [homes]
>> comment = Home Directories
>> create mask = 0700
>> directory mask = 0700
>> browseable = No
>>
>> [p]
>> comment = Documents
>> path = /home/samba/p
>> valid users = @LIHH\SambaUsers
>> read only = No
>> create mask = 0750
>>
>> [profiles]
>> comment = Documents
>> path = /home/samba/profiles
>> read only = No
>> create mask = 0750
>>
>>
>>
>> The groups on the DC:
>>
>> morgane:/etc/samba# wbinfo -g
>> BUILTIN+System Operators
>> BUILTIN+Replicators
>> BUILTIN+Guests
>> BUILTIN+Power Users
>> BUILTIN+Print Operators
>> BUILTIN+Administrators
>> BUILTIN+Account Operators
>> BUILTIN+Backup Operators
>> BUILTIN+Users
>> Domänencomputer
>> Domänen-Gäste
>> Zertifikatherausgeber
>> Organisations-Admins
>> Schema-Admins
>> Domänencontroller
>> Domänen-Benutzer
>> Domänen-Admins
>> Richtlinien-Ersteller-Besitzer
>> DnsUpdateProxy
>> SambaUsers
>>
>>
>>
>> Groupmap on samba machine:
>>
>> morgane:/etc/samba# net groupmap list
>> System Operators (S-1-5-32-549) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Domain Guests (S-1-5-21-788693271-928550680-3704065133-514) -> nobody
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Administrators (S-1-5-32-544) -> -1
>> Account Operators (S-1-5-32-548) -> -1
>> Domänen-Benutzer (S-1-5-21-788693271-928550680-3704065133-1201) -> users
>> Domain Admins (S-1-5-21-788693271-928550680-3704065133-512) -> root
>> SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
>> Backup Operators (S-1-5-32-551) -> -1
>> Users (S-1-5-32-545) -> -1
>> Domain Users (S-1-5-21-788693271-928550680-3704065133-513) -> -1
>>
>>
>>
>> The suspicious output of /var/log/samba/log.winbindd:
>>
>> [2004/11/14 04:28:05, 1]
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>> group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:06, 3] libads/ads_ldap.c:ads_sid_to_dn(222)
>> ads sid_to_dn mapped CN=Pentium,CN=Computers,DC=lihh,DC=loc
>> [2004/11/14 04:28:06, 1]
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>> group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:14, 1]
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>> group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:15, 1]
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>> group LIHH\SambaUsers in domain LIHH does not exist
>>
>>
>>
>> Then of course in /var/log/samba/log.<ip_number> I get:
>>
>> [2004/11/14 04:28:15, 2] smbd/service.c:make_connection_snum(314)
>> user 'LIHH+User.Name' (from session setup) not permitted to access
>> this share (p)
>> [2004/11/14 04:28:15, 3] smbd/error.c:error_packet(129)
>> error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>>
>
> Hello everybody,
> for my problem of not finding "SambaUsers" I found something odd:
>
>
> grep 10032 /etc/group
> sambausers:x:10032:
>
>
> wbinfo -G 10032
> S-1-5-32-552
>
>
> net groupmap list
> Replicators (S-1-5-32-552) -> -1
>
> SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
>
>
> Somehow the unix group "sambausers" matches "Replicators" on windows
> instead of "SambaUsers".
> Why is this? Or better how to correct this?
>
> Kay
Hello again,
I made some substantial progress in getting the groups thing to work. In
some posting from this NG I found an expample with the syntax of "valid
users = @ADSDOMAIN\groupname". This doesn't work. Winbind then asks for
\\ADSDOMAIN\ADSDOMAIN\groupname so "winbind -i" told me. It should be
"valid users = @groupname". Of course I already tried that before also...
But then I tried "winbind -n" which means "caching disabled" and now it
works!
So what's wrong with the caching?
Kay
More information about the samba
mailing list