[Samba] poledit - acl editor - groups problem [was: windows doesn't show groups in security tab of file properties]

Mario Minati mario at minati.de
Mon Oct 16 20:41:56 GMT 2006 

Hi,

I finally could resolve my problem. I had to update the samba schema on 
my ldap server with the new version from 3.0.23c.

Regards,
Mario


Mario Minati schrieb:
> Hi,
> I would like to repeat my question (no groups shown in windows acl 
> editor) as I didn't find a solution to my problem. I googled a lot and 
> found many questions on that topic, but no helped me out of my troubles.
>
> Gerald Carter wrote:
>> If they show up in the ACL editor editor for example,
>> they should show up in the policy editor as well.
>> on Samba DCs, on mapped groups will show up though.
> I read it, but for me my groupmapping looks good, even with the 
> changes in the group mapping stuff in Samba 3.0.23:
>> domain guests (S-1-5-21-XXX-514) -> domain guests
>> domain machines (S-1-5-21-XXX-516) -> domain machines
>> buchhaltung (S-1-5-21-XXX-3007) -> buchhaltung
>> honorar (S-1-5-21-XXX-3009) -> honorar
>> intern (S-1-5-21-XXX-3015) -> intern
>> print_ops (S-1-5-21-XXX-3017) -> print_ops
>> domain_admins (S-1-5-21-XXX-512) -> domain_admins
>> igm (S-1-5-21-XXX-3005) -> igm
>> dev (S-1-5-21-XXX-3013) -> dev
>> software (S-1-5-21-XXX-3019) -> software
>> bpm (S-1-5-21-XXX-3011) -> bpm
>> pem (S-1-5-21-XXX-3021) -> pem
>> domain_users (S-1-5-21-XXX-513) -> domain_users
>> wks_admin (S-1-5-21-XXX-3023) -> wks_admin
> Probably I'm just to blind to see the point, could you please give me 
> a hint what to check / test next?
>
> One thing I am not 100% sure about is, if I need winbindd.
> As I only have one Samba PDC with LDAP with Win2000 and WinXP Clients 
> and no other DCs I think I don't need winbindd, right?
>
> Thank you,
> Mario Minati
>
> Mario Minati schrieb:
>> Hello,
>>
>> I've a Samba 3.0.23c-SerNet-Debian PDC (no BDC or anything) connected 
>> to OpenLDAP. I thought it would work smoothly, I didn't discover any 
>> problems until today.
>>
>> I'am trying to create a ntconfig.pol with poledit, but it doesn't 
>> show me any groups to add to the policy. I can see all the users by 
>> the way.
>> To eleminate a poledit problem I used the security tab (in german 
>> it's name is 'Sicherheitseinstellungen') of the file properties 
>> dialog to test the availability of groups on the Windows 2000 client.
>> If I try to add a user to a file (either a local one on an NTFS 
>> drive, or one on the PDC) it only shows me local groups and users and 
>> the users on the PDC, but I can not see any groups from the PDC.
>>
>> The funny thing is, that in the security tab the name of the group a 
>> file on the PDC belongs to is shown correctly, so the resolution of a 
>> given groupname and SID seems to work.
>>
>> By the way I tested this behavior on a second Win 2000 vmware 
>> instance and it's exactly the same.
>>
>> I checked the output of 'getent groups' on the PDC, they look good 
>> (see below).
>> root:x:0:
>> [...]
>> ssh:x:103:
>> administrators:x:999:admin
>> domain guests:x:10004:
>> domain machines:x:10005:
>> buchhaltung:x:1003:ya
>> honorar:x:1004:ya
>> intern:x:1007:hm,madt,ya
>> print_ops:x:1008:administrator
>> domain_admins:x:10003:administrator
>> igm:x:1002:hm,madt,ya
>> dev:x:1006:
>> software:x:1009:
>> bpm:x:1005:
>> pem:x:1010:hm,madt
>> domain_users:x:10002:administrator,hm,ya,madt
>> wks_admin:x:1011:administrator,ya
>>
>>
>> I checked the groupmapping, which also looks good (see below).
>> domain guests (S-1-5-21-XXX-514) -> domain guests
>> domain machines (S-1-5-21-XXX-516) -> domain machines
>> buchhaltung (S-1-5-21-XXX-3007) -> buchhaltung
>> honorar (S-1-5-21-XXX-3009) -> honorar
>> intern (S-1-5-21-XXX-3015) -> intern
>> print_ops (S-1-5-21-XXX-3017) -> print_ops
>> domain_admins (S-1-5-21-XXX-512) -> domain_admins
>> igm (S-1-5-21-XXX-3005) -> igm
>> dev (S-1-5-21-XXX-3013) -> dev
>> software (S-1-5-21-XXX-3019) -> software
>> bpm (S-1-5-21-XXX-3011) -> bpm
>> pem (S-1-5-21-XXX-3021) -> pem
>> domain_users (S-1-5-21-XXX-513) -> domain_users
>> wks_admin (S-1-5-21-XXX-3023) -> wks_admin
>>
>>
>> I looked in the logs (debug level=1) and didn't see anything related 
>> to my problem (see below):
>> [2006/10/09 14:49:52, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service profiles initially 
>> as user administrator (uid=0, gid=10003) (pid 3087)
>> Could not connect to server sunshine
>> Connection failed: NT_STATUS_IO_TIMEOUT
>> [2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service netlogon initially 
>> as user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
>>  sunshine (10.1.10.194) closed connection to service profiles
>> [2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
>>  sunshine (10.1.10.194) closed connection to service netlogon
>> [2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service administrator 
>> initially as user administrator (uid=0, gid=10003) (pid 3087)
>> Could not connect to server sunshine
>> Connection failed: NT_STATUS_IO_TIMEOUT
>> [2006/10/09 14:50:16, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service netlogon initially 
>> as user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:50:21, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service administrator 
>> initially as user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service administrator 
>> initially as user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service temp initially as 
>> user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:51:56, 1] smbd/service.c:make_connection_snum(941)
>>  sunshine (10.1.10.194) signed connect to service temp initially as 
>> user administrator (uid=0, gid=10003) (pid 3087)
>> [2006/10/09 14:52:31, 0] lib/util_sock.c:read_data(534)
>>  read_data: read failure for 4 bytes to client 10.1.10.194. Error = 
>> Die Verbindung wurde vom Kommunikationspartner zurückgesetzt
>> [2006/10/09 15:00:06, 0] printing/print_cups.c:cups_cache_reload(85)
>>  Unable to connect to CUPS server localhost - Verbindungsaufbau 
>> abgelehnt
>> The last one comes once every hour, I've to check that later on.
>>
>>
>> I hope someone has an idea where to look at and what the reason for 
>> this behaviour can be.
>>
>> Regards,
>> Mario Minati
>

More information about the samba mailing list