[Samba] SID mapping to group name failed...

[Michael Gasch]

what says getent group ?

greez

Pierre-Francois LAURAND wrote:
> Hi,
> 
> I'am experimenting an error on a Samba 3.0.20 pdc with ldap backend :
> 
> When I have a try with the MS Win2k ACL editor to change a file
> permissions located on a Samba share, I can add or suppress domain users
> related acls, but with group related acls, an error occurs : MS Editor
> correctly shows the group SID, but cannot map the SID with the
> associated group name.
> 
> smbd.log gives :
> 
> [2006/01/20 10:07:27, 0, effective(6238, 2648), real(6238, 0)]
> rpc_server/srv_samr.c:api_samr_query_usergroups(520)
>   api_samr_query_usergroups: unable to marshall SAMR_R_QUERY_USERGROUPS.
> [2006/01/20 10:07:27, 0, effective(6238, 2648), real(6238, 0)]
> rpc_server/srv_pipe.c:api_rpcTNP(1572)
>   api_rpcTNP: samr: SAMR_QUERY_USERGROUPS failed.
> 
> 
> Note that "net groupmap list" just work and list the correct mapping
> between the sambaSID and the corresponding user groups registered in the
> dit.
> 
> Relevant part of smb.conf :
> 
> [global]
>   workgroup = MYDOMAIN
>   interfaces = lo0, em1
>   security = user
>   enable privileges = yes
>   username map = /usr/local/etc/smbusers.map
>   log file = /var/log/samba/smb.log
>   debug uid = Yes
>   domain logons = Yes
>   os level = 255
>   preferred master = Yes
>   domain master = Yes
>   passdb backend = ldapsam:ldapi://%2fvar%2frun%2fopenldap%2fldapi/
>   ldap admin dn = cn=samba,ou=serviceAccounts,o=myorg
>   ldap suffix = o=myorg
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   ldap group suffix = ou=groups
> 
> [Public]
>   path = /export/public/%G
>   read only = No
>   create mask    = 0755
>   directory mask = 0775
>   force user     = %U
> 
> 
> Thanks for your help,