[Samba] Cant change file rights with Samba LDAP

Matthias Eichler m.eichler at kernzeit.com
Tue Apr 19 13:57:23 GMT 2005


Dear List,

I have the following samba-ldap setup with 2 servers involved:

- login
  * Debian stable (woody)
  * Master LDAP (worx fine)
  * UNIX users and groups via pam-ldap and nss_ldap
    (worx fine)
  * Samba 3.0.13 as PDC for domain KERNZEIT with official
    deb packages from downloads.samba.org

- fileserver
  * Debian testing (sarge)
  * UNIX users and groups via pam-ldap and nss_ldap to the
    master ldap server (worx fine)
  * Samba 3.0.13 as a member server of domain KERNZEIT with
    official deb packages from downloads.samba.org
  * Shares on ext3-LVM-Volumes with EXT3-ACLs

What worx:
- all general linux stuff (login, logout, passwd, groups)
- all general samba stuff (login, logout, netlogon, groups,
  passwd, roaming profiles, etc.pp.)

My Problem:
- i access a files properties and switch to the security tab
- all users are looked up reverse from sid and windows displays
  the cn as an result, BUT ONLY if winbindd is running.
  This does not make sense to me as I use pam_ldap and nss_ldap
  successfully to get the ldap user and groups under linux
  available
- i can lookup and add a user that i.e. should get also full
  rights to the file or directory;
- if I accept these changes the added user disapears from the
  list of users that have rights on that file or directory
! This problem is reproducable

When I accept the changes to the security tab the samba log says:
---cut---
[2005/04/19 15:16:15, 3] lib/smbldap.c:smbldap_connect_system(866)
  ldap_connect_system: succesful connection to the LDAP server
  ldap_connect_system: LDAP server does not support paged results
[2005/04/19 15:16:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1002, 100) - sec_ctx_stack_ndx = 0
[2005/04/19 15:16:15, 0] smbd/posix_acls.c:create_canon_ace_lists(1388)
  create_canon_ace_lists: unable to map SID
S-1-5-21-2443489570-4015384086-1858331161-3036 to uid or gid.
---cut---
This also does not make sense to me as all users work under
samba and can login etc...

The smb.conf of the PDC (login)
---cut---
[global]
        workgroup = KERNZEIT
        netbios name = LOGIN
        null passwords = no
        security = user
        server string = %h server (Samba %v)
        announce version=5.0
        
        #LDAP STUFF
        passdb backend = ldapsam:"ldap://127.0.0.1"
        ldap suffix = dc=kernzeit,dc=com
        ldap machine suffix = "ou=smb-machines,ou=NSS,dc=kernzeit,dc=com"
        ldap admin dn = "cn=admin,dc=kernzeit,dc=com"
        ldap ssl = no 
        ldap user suffix = "dc=kernzeit,dc=com"
        ldap group suffix = ou=groups,ou=nss
        ldap passwd sync = Yes

        #LOG STUFF
        log file = /var/log/samba/log.%m
        max log size = 10000
        log level = 3 
        syslog = 0
        
        #NETWORK
        interfaces = 10.1.1.1/16
        hosts allow = 10.1. 10.99.0. 10.98.0. 192.168.1.51 192.168.1.61
192.168.1.62 192.168.1.63 192.168.1.64
        bind interfaces only = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   
        #SECURITY
        encrypt passwords = true
        guest account = nobody
        obey pam restrictions = no
        admin users = @domadmins
        
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g
smb-machines -s /bin/false %m
        add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
"%u" %g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod.pl
-x "%u"
        set primary group script = /usr/local/sbin/smbldap-usermod.pl -g
"%g" "%u"

        #FEATURES
        panic action = /usr/share/samba/panic-action %d
        wins support = yes
        dns proxy = yes 
        preferred master = yes
        local master = yes
        time server = yes
        os level = 67

        #DOMAIN STUFF
        domain master = yes
        domain logons = yes
        
        #LOGON STUFF
        logon path = \\%L\profile\%u
        logon script = login.bat
        logon drive = H:
        logon home = \\LOGIN\%U
        template homedir = /home/%U

        #INTERNATIONALIZATION
        unix charset = iso8859-15
        dos charset = cp850
---cut---

The conf of the fileserver
---cut---
[global]
        workgroup = KERNZEIT
        netbios name = FILESERVER
        server string = %h
        announce version = 5.0
        os level = 20

        passdb backend = ldapsam:"ldap://10.1.1.10"
        ldap suffix = "dc=kernzeit,dc=com"
        ldap machine suffix = "ou=smb-machines,ou=NSS,dc=kernzeit,dc=com"
        ldap admin dn = "cn=admin,dc=kernzeit,dc=com"
        ldap ssl = no
        ldap user suffix = "dc=kernzeit,dc=com"
	  ldap group suffix = ou=groups,ou=nss

        #LOG STUFF
        log file = /var/log/samba/log.%m
        max log size = 1000
        log level = 3 
        syslog = 0

        #NETWORK
        interfaces = 10.1.1.20/16
        hosts allow = 10.1. 10.99.0. 10.98.0. 192.168.1.51 192.168.1.61
192.168.1.62 192.168.1.63 192.168.1.64
        bind interfaces only = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        
        #SECURITY
        null passwords = no
        encrypt passwords = true
        guest account = nobody
        obey pam restrictions = no
        security = domain
        password server = LOGIN
        
        #FEATURES
        panic action = /usr/share/samba/panic-action %d
        nt acl support = yes
        wins support = no
        wins proxy = no
        wins server = 10.1.1.1 10.1.1.10 
        dns proxy = no
        local master = no
        preferred master = no

        #DOMAIN STUFF
        domain master = no
        domain logons = no

        #INTERNATIONALIZATION
        unix charset = iso8859-15 
        dos charset = 850
---cut---

Any help is really appreciated as this problem suxx really of as
no user can change any file-rights and have to call the support
to do this...:-(

Does anybody has any hints?!?

Thanks really really a lot!

Matthias



More information about the samba mailing list