[Samba] Samba cannot find group in ADS

Kay Obermueller KObermueller at t-online.de
Mon Nov 15 16:51:50 GMT 2004


Kay Obermueller wrote:

> Kay Obermueller wrote:
>
>> Hello everybody,
>> I have a Samba 3.0.7-Debian setup and joined a W2k ADS-domain. A User 
>> is put in "SambaUsers" as his primary primary group. I can create 
>> files from XP client that belong to user in "SambaUsers" The user is 
>> successfully authenticated by samba and can access his profile. I 
>> want him to be able to access the share "p" on samba. Without "valid 
>> users" set for the share this is possible. If I try to limit access 
>> to "SambaUsers", this group isn't found by samba in the domain.
>> Shall I have a closer look on winbind?
>> Who can help me have a good sunday?
>> :)
>>
>> Kay
>>
>>
>> testparm:
>>
>> # Global parameters
>> [global]
>>        unix charset = UTF8
>>        display charset = UTF8
>>        workgroup = LIHH
>>        realm = LIHH.LOC
>>        server string = %h server (Samba %v)
>>        security = ADS
>>        password server = liba.lihh.loc
>>        log level = 3 passdb:5 auth:10 winbind:5
>>        syslog = 0
>>        log file = /var/log/samba/log.%m
>>        max log size = 1000
>>        domain master = No
>>        dns proxy = No
>>        wins server = 10.1.1.3
>>        ldap ssl = no
>>        panic action = /usr/share/samba/panic-action %d
>>        idmap uid = 10000-20000
>>        idmap gid = 10000-20000
>>        template primary group = sambausers
>>        template shell = /bin/bash
>>        winbind separator = +
>>        winbind use default domain = Yes
>>
>> [homes]
>>        comment = Home Directories
>>        create mask = 0700
>>        directory mask = 0700
>>        browseable = No
>>
>> [p]
>>        comment = Documents
>>        path = /home/samba/p
>>        valid users = @LIHH\SambaUsers
>>        read only = No
>>        create mask = 0750
>>
>> [profiles]
>>        comment = Documents
>>        path = /home/samba/profiles
>>        read only = No
>>        create mask = 0750
>>
>>
>>
>> The groups on the DC:
>>
>> morgane:/etc/samba# wbinfo -g
>> BUILTIN+System Operators
>> BUILTIN+Replicators
>> BUILTIN+Guests
>> BUILTIN+Power Users
>> BUILTIN+Print Operators
>> BUILTIN+Administrators
>> BUILTIN+Account Operators
>> BUILTIN+Backup Operators
>> BUILTIN+Users
>> Domänencomputer
>> Domänen-Gäste
>> Zertifikatherausgeber
>> Organisations-Admins
>> Schema-Admins
>> Domänencontroller
>> Domänen-Benutzer
>> Domänen-Admins
>> Richtlinien-Ersteller-Besitzer
>> DnsUpdateProxy
>> SambaUsers
>>
>>
>>
>> Groupmap on samba machine:
>>
>> morgane:/etc/samba# net groupmap list
>> System Operators (S-1-5-32-549) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Domain Guests (S-1-5-21-788693271-928550680-3704065133-514) -> nobody
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Administrators (S-1-5-32-544) -> -1
>> Account Operators (S-1-5-32-548) -> -1
>> Domänen-Benutzer (S-1-5-21-788693271-928550680-3704065133-1201) -> users
>> Domain Admins (S-1-5-21-788693271-928550680-3704065133-512) -> root
>> SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
>> Backup Operators (S-1-5-32-551) -> -1
>> Users (S-1-5-32-545) -> -1
>> Domain Users (S-1-5-21-788693271-928550680-3704065133-513) -> -1
>>
>>
>>
>> The suspicious output of /var/log/samba/log.winbindd:
>>
>> [2004/11/14 04:28:05, 1] 
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>>  group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:06, 3] libads/ads_ldap.c:ads_sid_to_dn(222)
>>  ads sid_to_dn mapped CN=Pentium,CN=Computers,DC=lihh,DC=loc
>> [2004/11/14 04:28:06, 1] 
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>>  group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:14, 1] 
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>>  group LIHH\SambaUsers in domain LIHH does not exist
>> [2004/11/14 04:28:15, 1] 
>> nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>>  group LIHH\SambaUsers in domain LIHH does not exist
>>
>>
>>
>> Then of course in /var/log/samba/log.<ip_number> I get:
>>
>> [2004/11/14 04:28:15, 2] smbd/service.c:make_connection_snum(314)
>>  user 'LIHH+User.Name' (from session setup) not permitted to access 
>> this share (p)
>> [2004/11/14 04:28:15, 3] smbd/error.c:error_packet(129)
>>  error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
>> NT_STATUS_ACCESS_DENIED
>>
>
> Hello everybody,
> for my problem of not finding "SambaUsers" I found something odd:
>
>
> grep 10032 /etc/group
> sambausers:x:10032:
>
>
> wbinfo -G 10032
> S-1-5-32-552
>
>
> net groupmap list
> Replicators (S-1-5-32-552) -> -1
>
> SambaUsers (S-1-5-21-788693271-928550680-3704065133-21065) -> sambausers
>
>
> Somehow the unix group "sambausers" matches "Replicators" on windows 
> instead of "SambaUsers".
> Why is this? Or better how to correct this?
>
> Kay

Hello again,
I made some substantial progress in getting the groups thing to work. In 
some posting from this NG I found an expample with the syntax of "valid 
users = @ADSDOMAIN\groupname". This doesn't work. Winbind then asks for 
\\ADSDOMAIN\ADSDOMAIN\groupname so "winbind -i" told me. It should be 
"valid users = @groupname". Of course I already tried that before also...
But then I tried "winbind -n" which means "caching disabled" and now it 
works!
So what's wrong with the caching?

Kay


More information about the samba mailing list