ham,[Spam] [Samba] problems with samba bdc user/group lookups

Bill Schwanitz bilsch at bilsch.org
Fri Feb 16 19:06:20 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dale,

Thanks - I think that has taken care of the permissions problems.

Question: Is there a reason the bdc needs direct communications with the
ldap database? I would have imagined these queries could be retrieved
via communication between smbd.

Bill

Dale Schroeder wrote:
> I believe your errors primarily lie in your BDC configuration.
> See 
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id304335
> for minimum requirements.
> 
> Bill Schwanitz wrote:
> I am trying to get a samba setup with with a pdc/bdc configuration. The
> backend information stores are openldap ( for passdb and idmap )
> 
> I have followed the instructions in the Samba Guide and the
> documentation provided with the smbldap-tools package.
> 
> Samba version: 3.0.24
> smbldap-tools: Using the version included in samba (
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )
> 
> I can join machines to the domain. If I do a getent passwd from either
> of the two servers, I get the requisite information ( and it looks valid
> ). I have nsswitch pulling the information from ldap on both systems.
> 
> Layout:
> 
> fdsclient: pdc
> fdsclient2: bdc
> fdsmaster: openldap 2.2.13
> OS on all systems is CentOS 4, mostly up to date on patches ( as of a
> few days ago )
> All three systems are being run from within vmware - not sure it really
> matters here.
> 
> - From the pdc, if I run the command "net rpc user -U root%pass", I get
> back the three currently-configured users. If I use the same command
> from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get
> the requisite information.
> 
> when I log into a windows machine ( joined to the domain ) and browse
> the shares on both pdc and bdc, I get mixed results in file/dir
> ownership. The files/dirs on the pdc report the domain\user values. If I
>  look at the permissions of a share on the bdc, I get "Unix user \
> *user*" instead of the domain\user.
> 
> Below is the smb.conf configuration for the pdc:
> 
> [global]
>         workgroup = BILSCH.LOCAL
>         server string = Samba Server %v
>         security = user
>         passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
>         idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
>         passwd program =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
>         passwd chat = "Changing password for*\nNew password*" %n\n
> "*Retype new password*" %n\n"
>         passwd chat debug = Yes
>         passwd chat timeout = 5
>         enable privileges = yes
>         username map = /etc/samba/smbusers
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 100000
>         time server = Yes
>         deadtime = 10
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = cups
>         add user script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd
> -m "%u"
>         add group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
> "%g"
>         add user to group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
> "%u" "%g"
>         delete user from group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
> "%u" "%g"
>         set primary group script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
> '%g' '%u'
>         add machine script =
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd
> -w "%u"
>         logon script = logon.bat
>         logon path = \\fdsclient\profiles\%U
>         logon drive = H:
>         name resolve order = wins bcast hosts
>         domain logons = Yes
>         os level = 255
>         preferred master = Yes
>         domain master = Yes
>         local master = Yes
>         wins support = Yes
>         #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
>         ldap admin dn = cn=Manager,dc=bilsch,dc=local
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=Idmap
>         ldap machine suffix = ou=Users,ou=Computers
>         ldap passwd sync = Yes
>         ldap suffix = dc=bilsch,dc=local
>         ldap ssl = start tls
>         ldap user suffix = ou=Users
>         #idmap uid = 15000-20000
>         #idmap gid = 15000-20000
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         create mask = 0640
>         directory mask = 0750
>         case sensitive = No
>         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>         null passwords = yes
>         encrypt passwords = yes
> 
> smb.conf from the bdc:
> 
> [global]
>         workgroup = BILSCH.LOCAL
>         server string = Samba Server %v
>         security = domain
>         password server = fdsclient.bilsch.local
>         log level = 4
>         log file = /var/log/samba/%m.log
>         enable privileges = yes
>         max log size = 50
>         os level = 0
>         time server = Yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         local master = No
>         domain master = No
>         preferred master = No
>         dns proxy = No
>         cups options = raw
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind separator = +
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/false
>         winbind use default domain = Yes
>         nt acl support = yes
>         map acl inherit = yes
> 
> net rpc info output:
> 
> ( pdc )
> root at fdsclient:/var/log/samba# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644069
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
> 
> ( bdc )
> root at fdsclient2:/# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644046
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
> 
> root at fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
> 
> root at fdsclient2:/# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
> 
> with smbclient, accessing a share on the bdc, with showacls on:
> 
> FILENAME:\vmware-config0
> MODE:D
> SIZE:0
> MTIME:Mon Feb 12 10:06:32 2007
> revision: 1
> type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
> DACL
>         ACL     Num ACEs:       3       revision:       2
>         ---
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0x1ff
>                 Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
> WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
>                 SID: S-1-22-1-0
> 
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0xa9
>                 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
>                 SID: S-1-22-2-0
> 
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0xa9
>                 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
>                 SID: S-1-1-0
> 
>         Owner SID:      S-1-22-1-0
>         Parent SID:     S-1-22-2-0
> 
> Anyone have ideas on what I am doing wrong here?
> 

- --

Bill Schwanitz

An eye for an eye makes the whole world blind.
   - Mahatma Gandhi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFF1gCsujRCu3O+ziARAkXaAKDDNGaDzvW4PbJZgcslc8TN1aLdAgCfXxSt
fXEjSacJalkscV6jmoWiFQw=
=5v+1
-----END PGP SIGNATURE-----


More information about the samba mailing list