[Samba] problems with samba bdc user/group lookups
Bill Schwanitz
bilsch at bilsch.org
Fri Feb 16 17:16:52 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am trying to get a samba setup with with a pdc/bdc configuration. The
backend information stores are openldap ( for passdb and idmap )
I have followed the instructions in the Samba Guide and the
documentation provided with the smbldap-tools package.
Samba version: 3.0.24
smbldap-tools: Using the version included in samba (
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )
I can join machines to the domain. If I do a getent passwd from either
of the two servers, I get the requisite information ( and it looks valid
). I have nsswitch pulling the information from ldap on both systems.
Layout:
fdsclient: pdc
fdsclient2: bdc
fdsmaster: openldap 2.2.13
OS on all systems is CentOS 4, mostly up to date on patches ( as of a
few days ago )
All three systems are being run from within vmware - not sure it really
matters here.
- From the pdc, if I run the command "net rpc user -U root%pass", I get
back the three currently-configured users. If I use the same command
from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get
the requisite information.
when I log into a windows machine ( joined to the domain ) and browse
the shares on both pdc and bdc, I get mixed results in file/dir
ownership. The files/dirs on the pdc report the domain\user values. If I
look at the permissions of a share on the bdc, I get "Unix user \
*user*" instead of the domain\user.
Below is the smb.conf configuration for the pdc:
[global]
workgroup = BILSCH.LOCAL
server string = Samba Server %v
security = user
passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
passwd program =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
passwd chat debug = Yes
passwd chat timeout = 5
enable privileges = yes
username map = /etc/samba/smbusers
log level = 3
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m "%u"
add group script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
"%g"
add user to group script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
"%u" "%g"
set primary group script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
'%g' '%u'
add machine script =
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w "%u"
logon script = logon.bat
logon path = \\fdsclient\profiles\%U
logon drive = H:
name resolve order = wins bcast hosts
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
#ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
ldap admin dn = cn=Manager,dc=bilsch,dc=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Users,ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=bilsch,dc=local
ldap ssl = start tls
ldap user suffix = ou=Users
#idmap uid = 15000-20000
#idmap gid = 15000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create mask = 0640
directory mask = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
null passwords = yes
encrypt passwords = yes
smb.conf from the bdc:
[global]
workgroup = BILSCH.LOCAL
server string = Samba Server %v
security = domain
password server = fdsclient.bilsch.local
log level = 4
log file = /var/log/samba/%m.log
enable privileges = yes
max log size = 50
os level = 0
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
local master = No
domain master = No
preferred master = No
dns proxy = No
cups options = raw
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = Yes
nt acl support = yes
map acl inherit = yes
net rpc info output:
( pdc )
root at fdsclient:/var/log/samba# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644069
Num users: 3
Num domain groups: 4
Num local groups: 0
( bdc )
root at fdsclient2:/# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644046
Num users: 3
Num domain groups: 4
Num local groups: 0
root at fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
root at fdsclient2:/# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
with smbclient, accessing a share on the bdc, with showacls on:
FILENAME:\vmware-config0
MODE:D
SIZE:0
MTIME:Mon Feb 12 10:06:32 2007
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 3 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0x1ff
Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
SID: S-1-22-1-0
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0xa9
Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
SID: S-1-22-2-0
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0xa9
Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
SID: S-1-1-0
Owner SID: S-1-22-1-0
Parent SID: S-1-22-2-0
Anyone have ideas on what I am doing wrong here?
- --
Bill Schwanitz
An eye for an eye makes the whole world blind.
- Mahatma Gandhi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFF1ecDujRCu3O+ziARAt3/AJwL1DHkwwbqXSLnfbc3Q0F4d+lt/ACeMh2p
H9SKBYB8SagEX9+pDe0xVwQ=
=oi20
-----END PGP SIGNATURE-----
More information about the samba
mailing list