[Samba] Re: Solved: Follow Up - Problem with groups & joining
flatfender at gmail.com
Thu May 19 13:23:24 GMT 2005
Just a note for the archives.
My Freebsd nsswitch problems were being caused by a mis-configured
nss_ldap.conf file. Everything indeed seems to be working properly
now in Freebsd.
On 5/5/05, Flatfender <flatfender at gmail.com> wrote:
> Follow up to original post.
> If I created local groups and users in /etc/passwd &
> /etc/groups I get farther along.
> For instance, if I have a Samba PDC with LDAP basically like I listed
> in my post. If I browse from a w2k pro box to the samba server
> without the workstation having joined the domain, I can authenticate
> to the samba server with a user who is not in /etc/passwd but is in
> LDAP. So samba is able to do the lookup via ldap.
> Now, if I create a posix group in ldap but not in /etc/group, I can
> not use "net groupmap modify" to modify the ntgroup to unix group
> mapping. But if I create the group in /etc/groups then the group
> mapping works. This leads me to believe either that the
> nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
> configured. Since their is so little to configure, I tend to lean
> towards NSSwitch not being fully implemented.
> Also If I try to join the domain with from a workstation that neither
> has a /etc/passwd account or an ldap account then, joining the domain
> fails, but smbldap-tools creates a workstation account in ldap with
> posix only attributes and no samba attributes.
> If I create the workstation account in /etc/passwd and then join the
> domain, then I can sucessfully join the domain, and smbldap tools
> creates an account in ldap, but this time with only samba attributes
> and no posix attributes.
> I have not tested any other group/user scenarios yet.
> ---------- Forwarded message ----------
> From: Flatfender <flatfender at gmail.com>
> Date: Apr 21, 2005 11:04 AM
> Subject: Problem with groups & joining domain.- LDAP
> To: samba at lists.samba.org
> Software list:
> FreeBSD 5.3
> Samba 3.0.14a
> samba was configured with the following options. LDAP, Cups, Winbind,
> utmp, popt, acl, quotas, msdfs, syslog, without_ADS
> I have also tried winbind_nss which I believe is a FreeBSD wrapper
> around the linux implentation of winbindd, but it yielded the same
> 1. ldapadd & ldapserach w/tls is working fine.
> 2. smbldap-tools work. smbldap-populate,
> smbldap-migrate-unix-accounts/groups work. smbldap-useradd works.
> 3. smbpasswd -w has been set.
> What fails is joining a machine to the domain. I get the domain
> password is incorrect, the workstation account is created, but with
> posix attributes only, no samba attributes.
> problems with groups
> If I add a group to the local /etc/group file, which I don't think
> should have to do, but maybe this is a FreeBSD nsswitch bug? Can
> anyone confirm this?
> pw group add domadmins
> smbldap-groupadd -a domadmins - adds to ldap fine.
> net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This
> fails with this error message: and I get the same error message if
> the -a omitted from smbldap-groupadd
> ldapsam_update_group_mapping_entry: No group to modify!
> Could not update group database
> net groupmap list shows all groups that are in LDAP.
> What I suspect is that group lookups are failing somehow, but I'm not
> sure. Also If I browse through network neighborhood to the samba PDC
> server, I can authenticate with an ordinary user and get the users
> home dir. So Users seem to be working.
More information about the samba