[Samba] Cant change file rights with Samba LDAP
Matthias Eichler
m.eichler at kernzeit.com
Tue Apr 19 13:57:23 GMT 2005
Dear List,
I have the following samba-ldap setup with 2 servers involved:
- login
* Debian stable (woody)
* Master LDAP (worx fine)
* UNIX users and groups via pam-ldap and nss_ldap
(worx fine)
* Samba 3.0.13 as PDC for domain KERNZEIT with official
deb packages from downloads.samba.org
- fileserver
* Debian testing (sarge)
* UNIX users and groups via pam-ldap and nss_ldap to the
master ldap server (worx fine)
* Samba 3.0.13 as a member server of domain KERNZEIT with
official deb packages from downloads.samba.org
* Shares on ext3-LVM-Volumes with EXT3-ACLs
What worx:
- all general linux stuff (login, logout, passwd, groups)
- all general samba stuff (login, logout, netlogon, groups,
passwd, roaming profiles, etc.pp.)
My Problem:
- i access a files properties and switch to the security tab
- all users are looked up reverse from sid and windows displays
the cn as an result, BUT ONLY if winbindd is running.
This does not make sense to me as I use pam_ldap and nss_ldap
successfully to get the ldap user and groups under linux
available
- i can lookup and add a user that i.e. should get also full
rights to the file or directory;
- if I accept these changes the added user disapears from the
list of users that have rights on that file or directory
! This problem is reproducable
When I accept the changes to the security tab the samba log says:
---cut---
[2005/04/19 15:16:15, 3] lib/smbldap.c:smbldap_connect_system(866)
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
[2005/04/19 15:16:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (1002, 100) - sec_ctx_stack_ndx = 0
[2005/04/19 15:16:15, 0] smbd/posix_acls.c:create_canon_ace_lists(1388)
create_canon_ace_lists: unable to map SID
S-1-5-21-2443489570-4015384086-1858331161-3036 to uid or gid.
---cut---
This also does not make sense to me as all users work under
samba and can login etc...
The smb.conf of the PDC (login)
---cut---
[global]
workgroup = KERNZEIT
netbios name = LOGIN
null passwords = no
security = user
server string = %h server (Samba %v)
announce version=5.0
#LDAP STUFF
passdb backend = ldapsam:"ldap://127.0.0.1"
ldap suffix = dc=kernzeit,dc=com
ldap machine suffix = "ou=smb-machines,ou=NSS,dc=kernzeit,dc=com"
ldap admin dn = "cn=admin,dc=kernzeit,dc=com"
ldap ssl = no
ldap user suffix = "dc=kernzeit,dc=com"
ldap group suffix = ou=groups,ou=nss
ldap passwd sync = Yes
#LOG STUFF
log file = /var/log/samba/log.%m
max log size = 10000
log level = 3
syslog = 0
#NETWORK
interfaces = 10.1.1.1/16
hosts allow = 10.1. 10.99.0. 10.98.0. 192.168.1.51 192.168.1.61
192.168.1.62 192.168.1.63 192.168.1.64
bind interfaces only = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#SECURITY
encrypt passwords = true
guest account = nobody
obey pam restrictions = no
admin users = @domadmins
add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g
smb-machines -s /bin/false %m
add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
"%u" %g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl
-x "%u"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g
"%g" "%u"
#FEATURES
panic action = /usr/share/samba/panic-action %d
wins support = yes
dns proxy = yes
preferred master = yes
local master = yes
time server = yes
os level = 67
#DOMAIN STUFF
domain master = yes
domain logons = yes
#LOGON STUFF
logon path = \\%L\profile\%u
logon script = login.bat
logon drive = H:
logon home = \\LOGIN\%U
template homedir = /home/%U
#INTERNATIONALIZATION
unix charset = iso8859-15
dos charset = cp850
---cut---
The conf of the fileserver
---cut---
[global]
workgroup = KERNZEIT
netbios name = FILESERVER
server string = %h
announce version = 5.0
os level = 20
passdb backend = ldapsam:"ldap://10.1.1.10"
ldap suffix = "dc=kernzeit,dc=com"
ldap machine suffix = "ou=smb-machines,ou=NSS,dc=kernzeit,dc=com"
ldap admin dn = "cn=admin,dc=kernzeit,dc=com"
ldap ssl = no
ldap user suffix = "dc=kernzeit,dc=com"
ldap group suffix = ou=groups,ou=nss
#LOG STUFF
log file = /var/log/samba/log.%m
max log size = 1000
log level = 3
syslog = 0
#NETWORK
interfaces = 10.1.1.20/16
hosts allow = 10.1. 10.99.0. 10.98.0. 192.168.1.51 192.168.1.61
192.168.1.62 192.168.1.63 192.168.1.64
bind interfaces only = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#SECURITY
null passwords = no
encrypt passwords = true
guest account = nobody
obey pam restrictions = no
security = domain
password server = LOGIN
#FEATURES
panic action = /usr/share/samba/panic-action %d
nt acl support = yes
wins support = no
wins proxy = no
wins server = 10.1.1.1 10.1.1.10
dns proxy = no
local master = no
preferred master = no
#DOMAIN STUFF
domain master = no
domain logons = no
#INTERNATIONALIZATION
unix charset = iso8859-15
dos charset = 850
---cut---
Any help is really appreciated as this problem suxx really of as
no user can change any file-rights and have to call the support
to do this...:-(
Does anybody has any hints?!?
Thanks really really a lot!
Matthias
More information about the samba
mailing list