[Samba] Re: Solved: Follow Up - Problem with groups & joining domain.- LDAP

Thu May 19 13:23:24 GMT 2005

Just a note for the archives.

My Freebsd nsswitch problems were being caused by a mis-configured
nss_ldap.conf file.  Everything indeed seems to be working properly
now in Freebsd.

On 5/5/05, Flatfender <flatfender at gmail.com> wrote:
> Follow up to original post.
> 
> If I created local groups and users in /etc/passwd &
> /etc/groups I get farther along.
> 
> For instance, if I have a Samba PDC with LDAP basically like I listed
> in my post.  If I browse from a w2k pro box to the samba server
> without the workstation having joined the domain, I can authenticate
> to the samba server with a user who is not in /etc/passwd but is in
> LDAP.  So samba is able to do the lookup via ldap.
> 
> Now, if I create a posix group in ldap but not in /etc/group, I can
> not use "net groupmap modify" to modify the ntgroup to unix group
> mapping.  But if I create the group in /etc/groups then the group
> mapping works.  This leads me to believe either that the
> nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
> configured.  Since their is so little to configure, I tend to lean
> towards NSSwitch not being fully implemented.
> 
> Also If I try to join the domain with from a workstation that neither
> has a /etc/passwd account or an ldap account then, joining the domain
> fails, but smbldap-tools creates a workstation account in ldap with
> posix only attributes and no samba attributes.
> 
> If I create the workstation account in /etc/passwd and then join the
> domain, then I can sucessfully join the domain, and smbldap tools
> creates an account in ldap, but this time with only samba attributes
> and no posix attributes.
> 
> I have not tested any other group/user scenarios yet.
> ---------- Forwarded message ----------
> From: Flatfender <flatfender at gmail.com>
> Date: Apr 21, 2005 11:04 AM
> Subject: Problem with groups & joining domain.- LDAP
> To: samba at lists.samba.org
> 
> 
> Software list:
> 
> FreeBSD 5.3
> Samba 3.0.14a
> nss_ldap-1.204_5
> openldap-client-2.2.19
> openldap-server-2.2.23
> p5-perl-ldap-0.32.02
> pam_ldap-1.7.6
> smbldap-tools-0.8.8
> 
> samba was configured with the following options. LDAP, Cups, Winbind,
> utmp, popt, acl, quotas, msdfs, syslog, without_ADS
> 
> I have also tried winbind_nss which I believe is a FreeBSD wrapper
> around the linux implentation of winbindd, but it yielded the same
> results.
> 
> 1. ldapadd & ldapserach w/tls is working fine.
> 2. smbldap-tools work.  smbldap-populate,
> smbldap-migrate-unix-accounts/groups work.  smbldap-useradd works.
> 3. smbpasswd -w has been set.
> 
> What fails is joining a machine to the domain.  I get the domain
> password is incorrect, the workstation account is created, but with
> posix attributes only, no samba attributes.
> 
> problems with groups
> If I add a group to the local /etc/group file, which I don't think
> should have to do, but maybe this is a FreeBSD nsswitch bug?  Can
> anyone confirm this?
> 
> pw group add domadmins
> smbldap-groupadd -a domadmins - adds to ldap fine.
> net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This
> fails with this error message:   and I get the same error message if
> the -a omitted from smbldap-groupadd
> 
>  passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665)
>   ldapsam_update_group_mapping_entry: No group to modify!
> Could not update group database
> 
> net groupmap list shows all groups that are in LDAP.
> 
> What I suspect is that group lookups are failing somehow, but I'm not
> sure.   Also If I browse through network neighborhood to the samba PDC
> server, I can authenticate with an ordinary user and get the users
> home dir.  So Users seem to be working.

snipped.