[Samba] nested groups with user mapping doesn't work

Rainer Weber raiweber at mpim-bonn.mpg.de
Fri Feb 2 14:29:26 GMT 2007 

Hi,

if I deactivate the user mapping over 'username map' samba can see that the windows user raiweber is 
member of several windows groups.

  [2007/02/02 14:07:32, 10] auth/auth_util.c:debug_nt_user_token(454)
   NT user token of user S-1-5-21-781721396-396832292-1671184278-1107
   contains 11 SIDs
   SID[  0]: S-1-5-21-781721396-396832292-1671184278-1107
   SID[  1]: S-1-5-21-781721396-396832292-1671184278-513
   SID[  2]: S-1-1-0
   SID[  3]: S-1-5-2
   SID[  4]: S-1-5-11
   SID[  5]: S-1-5-21-781721396-396832292-1671184278-1118
   SID[  6]: S-1-5-21-781721396-396832292-1671184278-1108
   SID[  7]: S-1-5-21-781721396-396832292-1671184278-1117
   SID[  8]: S-1-5-21-781721396-396832292-1671184278-1115
   SID[  9]: S-1-5-21-702622059-3335440352-4138491235-2001
   SID[ 10]: S-1-5-32-545
   SE_PRIV  0x0 0x0 0x0 0x0

If I activate user mapping again I can only see the following in the log.
[2007/02/02 15:21:17, 10] libads/authdata.c:dump_pac_logon_info(723)
   The PAC:
         User Flags: 0x20 (32)
         User Flags: LOGON_EXTRA_SIDS 0x20 (32)
         User SID: S-1-5-21-781721396-396832292-1671184278-1107
         Group SID: S-1-5-21-781721396-396832292-1671184278-513
         Group Membership (Global and Universal Groups of own domain):
                 0: sid: S-1-5-21-781721396-396832292-1671184278-513
                    attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
                 1: sid: S-1-5-21-781721396-396832292-1671184278-1118
                    attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
                 2: sid: S-1-5-21-781721396-396832292-1671184278-1108
                    attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
                 3: sid: S-1-5-21-781721396-396832292-1671184278-1117
                    attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
                 4: sid: S-1-5-21-781721396-396832292-1671184278-1115
                    attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
         Group Membership (Domain Local Groups and Groups from Trusted Domains):
         Group Membership (Ressource Groups (SID History ?)):

and

[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_nt_user_token(448)
   NT user token: (NULL)
[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups


And I nested groups doesn't work.
Can some one please tell me where the problem is?

My smb.conf
[global]
         workgroup = WINDOWS
         realm = WINDOWS.LOCAL
         security = ADS
         map to guest = Bad User
         password server = 192.168.254.156
         root directory = /
         username map = /usr/local/samba/private/user.map
         lanman auth = No
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         log level = 10
         min protocol = NT1
         client signing = required
         server signing = required
         load printers = No
         domain master = No
         ldap ssl = no
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template homedir = /home/%U
         template shell = /bin/bash
         winbind separator = +
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         hosts allow = 192.168.254.156, 192.168.254.121, 192.168.254.236

[local_home]
         path = /local_home
         read only = No


Thanks.

Rainer

Rainer Weber wrote:
> Hi,
> 
> i've a samba server (3.0.23d) as a domain member (not a PDC/BDC). My 
> problem is that if I'm using user mapping with the option 'username map 
> = user.map' the samba server doesn't see that I'm a member of several 
> domain groups and the nested groups doesn't work. If I deactivate the 
> user mapping then nested groups works fine but I've a different UID on 
> the unix FS (from the idmap uid range) and  I can't access my files.
> 
> The unix user:
>  bash-3.00# getent passwd raiweber
> raiweber:x:120:14:Rainer Weber:/home/raiweber:/usr/bin/bash
> 
> The windows user:
> bash-3.00# getent passwd WINDOWS+raiweber
> raiweber:*:10005:10002:Rainer Weber:/home/raiweber:/bin/bash
> 
> The user.map entry looks like:
> raiweber = "WINDOWS+raiweber"
> 
> The PDC is a Windows Server 2003 and we have both unix and windows user 
> with the same name.
> 
> 
> How can I map windows users to a specific UID (e.g. WINDOWS+raiweber to 
> UID 120) and use nested groups?
> 
> Thanks.
> 
> Rainer
> 

-- 
+--------------------------------------+
| Max Planck Institute for Mathematics |
|        System Administration         |
|                                      |
|  Vivatsgasse 7, 53111 Bonn, Germany  |
|  Tel       +49 (0)228-402-239        |
|  Fax       +49 (0)228-402-277        |
|  Email     raiweber at mpim-bonn.mpg.de |
+--------------------------------------+

More information about the samba mailing list