ham,[Spam] [Samba] problems with samba bdc user/group lookups
Bill Schwanitz
bilsch at bilsch.org
Fri Feb 16 19:06:20 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dale,
Thanks - I think that has taken care of the permissions problems.
Question: Is there a reason the bdc needs direct communications with the
ldap database? I would have imagined these queries could be retrieved
via communication between smbd.
Bill
Dale Schroeder wrote:
> I believe your errors primarily lie in your BDC configuration.
> See
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id304335
> for minimum requirements.
>
> Bill Schwanitz wrote:
> I am trying to get a samba setup with with a pdc/bdc configuration. The
> backend information stores are openldap ( for passdb and idmap )
>
> I have followed the instructions in the Samba Guide and the
> documentation provided with the smbldap-tools package.
>
> Samba version: 3.0.24
> smbldap-tools: Using the version included in samba (
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )
>
> I can join machines to the domain. If I do a getent passwd from either
> of the two servers, I get the requisite information ( and it looks valid
> ). I have nsswitch pulling the information from ldap on both systems.
>
> Layout:
>
> fdsclient: pdc
> fdsclient2: bdc
> fdsmaster: openldap 2.2.13
> OS on all systems is CentOS 4, mostly up to date on patches ( as of a
> few days ago )
> All three systems are being run from within vmware - not sure it really
> matters here.
>
> - From the pdc, if I run the command "net rpc user -U root%pass", I get
> back the three currently-configured users. If I use the same command
> from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get
> the requisite information.
>
> when I log into a windows machine ( joined to the domain ) and browse
> the shares on both pdc and bdc, I get mixed results in file/dir
> ownership. The files/dirs on the pdc report the domain\user values. If I
> look at the permissions of a share on the bdc, I get "Unix user \
> *user*" instead of the domain\user.
>
> Below is the smb.conf configuration for the pdc:
>
> [global]
> workgroup = BILSCH.LOCAL
> server string = Samba Server %v
> security = user
> passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
> idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
> passwd program =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
> passwd chat = "Changing password for*\nNew password*" %n\n
> "*Retype new password*" %n\n"
> passwd chat debug = Yes
> passwd chat timeout = 5
> enable privileges = yes
> username map = /etc/samba/smbusers
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 100000
> time server = Yes
> deadtime = 10
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = cups
> add user script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd
> -m "%u"
> add group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
> "%g"
> add user to group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
> "%u" "%g"
> delete user from group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
> "%u" "%g"
> set primary group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
> '%g' '%u'
> add machine script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd
> -w "%u"
> logon script = logon.bat
> logon path = \\fdsclient\profiles\%U
> logon drive = H:
> name resolve order = wins bcast hosts
> domain logons = Yes
> os level = 255
> preferred master = Yes
> domain master = Yes
> local master = Yes
> wins support = Yes
> #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
> ldap admin dn = cn=Manager,dc=bilsch,dc=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Users,ou=Computers
> ldap passwd sync = Yes
> ldap suffix = dc=bilsch,dc=local
> ldap ssl = start tls
> ldap user suffix = ou=Users
> #idmap uid = 15000-20000
> #idmap gid = 15000-20000
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> create mask = 0640
> directory mask = 0750
> case sensitive = No
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> null passwords = yes
> encrypt passwords = yes
>
> smb.conf from the bdc:
>
> [global]
> workgroup = BILSCH.LOCAL
> server string = Samba Server %v
> security = domain
> password server = fdsclient.bilsch.local
> log level = 4
> log file = /var/log/samba/%m.log
> enable privileges = yes
> max log size = 50
> os level = 0
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> local master = No
> domain master = No
> preferred master = No
> dns proxy = No
> cups options = raw
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/false
> winbind use default domain = Yes
> nt acl support = yes
> map acl inherit = yes
>
> net rpc info output:
>
> ( pdc )
> root at fdsclient:/var/log/samba# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644069
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
>
> ( bdc )
> root at fdsclient2:/# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644046
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
>
> root at fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
>
> root at fdsclient2:/# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
>
> with smbclient, accessing a share on the bdc, with showacls on:
>
> FILENAME:\vmware-config0
> MODE:D
> SIZE:0
> MTIME:Mon Feb 12 10:06:32 2007
> revision: 1
> type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
> DACL
> ACL Num ACEs: 3 revision: 2
> ---
> ACE
> type: ACCESS ALLOWED (0) flags: 0
> Specific bits: 0x1ff
> Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
> WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
> SID: S-1-22-1-0
>
> ACE
> type: ACCESS ALLOWED (0) flags: 0
> Specific bits: 0xa9
> Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
> SID: S-1-22-2-0
>
> ACE
> type: ACCESS ALLOWED (0) flags: 0
> Specific bits: 0xa9
> Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
> SID: S-1-1-0
>
> Owner SID: S-1-22-1-0
> Parent SID: S-1-22-2-0
>
> Anyone have ideas on what I am doing wrong here?
>
- --
Bill Schwanitz
An eye for an eye makes the whole world blind.
- Mahatma Gandhi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFF1gCsujRCu3O+ziARAkXaAKDDNGaDzvW4PbJZgcslc8TN1aLdAgCfXxSt
fXEjSacJalkscV6jmoWiFQw=
=5v+1
-----END PGP SIGNATURE-----
More information about the samba
mailing list