[Samba] Group membership
Misty Stanley-Jones
misty at borkholder.com
Wed Oct 13 17:01:44 GMT 2004
I'm responding to my own message below with more data.
oink:/home # net rpc group members engr
Password:
CORP1\root
smbldap-groupmod -x root engr
...
0000 307: SEQUENCE {
0004 1: INTEGER = 3
0007 300: [APPLICATION 4] {
000B 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com'
0033 256: SEQUENCE {
0037 12: SEQUENCE {
0039 2: STRING = 'cn'
003D 6: SET {
003F 4: STRING = 'engr'
0045 : }
0045 : }
0045 19: SEQUENCE {
0047 9: STRING = 'gidNumber'
0052 6: SET {
0054 4: STRING = '1001'
005A : }
005A : }
005A 21: SEQUENCE {
005C 11: STRING = 'displayName'
0069 6: SET {
006B 4: STRING = 'engr'
0071 : }
0071 : }
0071 21: SEQUENCE {
0073 14: STRING = 'sambaGroupType'
0083 3: SET {
0085 1: STRING = '2'
0088 : }
0088 : }
0088 59: SEQUENCE {
008A 9: STRING = 'memberUid'
0095 46: SET {
0097 3: STRING = 'pat'
009C 5: STRING = 'chuck'
00A3 6: STRING = 'jeremy'
00AB 5: STRING = 'jerry'
00B2 4: STRING = 'paul'
00B8 5: STRING = 'roger'
00BF 4: STRING = 'todd'
00C5 : }
00C5 : }
00C5 51: SEQUENCE {
00C7 11: STRING = 'objectClass'
00D4 36: SET {
00D6 3: STRING = 'top'
00DB 10: STRING = 'posixGroup'
00E7 17: STRING = 'sambaGroupMapping'
00FA : }
00FA : }
00FA 59: SEQUENCE {
00FC 8: STRING = 'sambaSID'
0106 47: SET {
0108 45: STRING = 'S-1-5-21-725326080-1709766072-2910717368-1001'
0137 : }
0137 : }
0137 : }
0137 : }
0137 : }
Net::LDAP=HASH(0x84b2b48) received:
30 0C 02 01 03 65 07 0A 01 00 04 00 04 00 __ __ 0....e........
0000 12: SEQUENCE {
0002 1: INTEGER = 3
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x84b2b48) sending:
30 53 02 01 04 63 4E 04 26 63 6E 3D 65 6E 67 72 0S...cN.&cn=engr
2C 6F 75 3D 67 72 6F 75 70 73 2C 64 63 3D 62 6F ,ou=groups,dc=bo
72 6B 68 6F 6C 64 65 72 2C 64 63 3D 63 6F 6D 0A rkholder,dc=com.
01 00 0A 01 02 02 01 00 02 01 00 01 01 00 A0 13 ................
A3 11 04 09 6D 65 6D 62 65 72 55 69 64 04 04 72 ....memberUid..r
6F 6F 74 30 00 __ __ __ __ __ __ __ __ __ __ __ oot0.
0000 83: SEQUENCE {
0002 1: INTEGER = 4
0005 78: [APPLICATION 3] {
0007 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com'
002F 1: ENUM = 0
0032 1: ENUM = 2
0035 1: INTEGER = 0
0038 1: INTEGER = 0
003B 1: BOOLEAN = FALSE
003E 19: [CONTEXT 0] {
0040 17: [CONTEXT 3] {
0042 9: STRING = 'memberUid'
004D 4: STRING = 'root'
0053 : }
0053 : }
0053 0: SEQUENCE {
0055 : }
0055 : }
0055 : }
Net::LDAP=HASH(0x84b2b48) received:
30 0C 02 01 04 65 07 0A 01 00 04 00 04 00 __ __ 0....e........
0000 12: SEQUENCE {
0002 1: INTEGER = 4
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
User root is not in the group engr!
Net::LDAP=HASH(0x84b2b48) sending:
30 05 02 01 05 42 00 __ __ __ __ __ __ __ __ __ 0....B.
0000 5: SEQUENCE {
0002 1: INTEGER = 5
0005 0: [APPLICATION 2]
0007 : }
And the interesting thing is that if I do add root as a member of the group,
net rpc group list works correctly:
oink:/home # net rpc group members engr
Password:
CORP1\pat
CORP1\chuck
CORP1\jeremy
CORP1\jerry
CORP1\paul
CORP1\roger
CORP1\todd
CORP1\root
Take root back out, and I am back to:
oink:/home # net rpc group members engr
Password:
CORP1\root
It looks to me like root needs to be a member of every single group for these
tools to work correctly. That's really bizarre to me. I await the wisdom of
the Samba Gurus.
Misty
On Tuesday 12 October 2004 17:04, Misty Stanley-Jones wrote:
> I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
> logon.bat, I call a script called ifmember.exe. This script can list out
> the groups a user is a member of. It is reporting that my root user is a
> member of the group 'engr.' I don't know if this is a bug with
> ifmember.exe or if it's an issue in Samba or in LDAP. Here is some
> relevant data:
>
> oink:/etc/smbldap-tools # smbldap-groupshow engr
> dn: cn=engr,ou=groups,dc=borkholder,dc=com
> cn: engr
> gidNumber: 1001
> memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
> objectClass: top,posixGroup,sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
>
> oink:/usr/local/sbin # ./smbldap-usershow root
> dn: cn=root,ou=people,dc=borkholder,dc=com
> objectClass: account,posixAccount,top,sambaSamAccount
> cn: root
> uid: root
> uidNumber: 0
> gidNumber: 0
> loginShell: /bin/bash
> homeDirectory: /root
> displayName: root
> sambaPwdCanChange: 1095966471
> sambaPwdMustChange: 2147483647
> sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
> sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1095966471
> sambaAcctFlags: [U ]
> userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
> sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
>
> oink:/usr/local/sbin # net groupmap list
> acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
> truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
> hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
> furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
> dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
> Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain
> Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) ->
> Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514)
> -> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) ->
> Workgroup Computers
> Administrators (S-1-5-32-544) -> Administrators
> acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
> receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) ->
> receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
>
> Is there anywhere else I can look to see why this command thinks I'm a
> member of the engr group? I'm using nss_ldap on the server for
> authentication as well.
>
> Misty
More information about the samba
mailing list