[Samba] group mapping on a member server - winbindd and solaris 10

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Sep 18 21:49:42 GMT 2007 

>From what I can tell it does look as if I have to run winbindd on
member servers, even if NIS is used, to get SID's mapping consistently
across the domain.

The PDC is Samba 3.025a on Solaris 10. Two member servers are Samba
3.025a on solaris 9.

If i start winbindd on a memv, the "wbinfo  -u" and "wbinfo -g"
commands show my users and groups.   However, the winbindd.log shows

[2007/09/18 17:36:39, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine MYPDC  pipe \lsarpc fnum 0x74c1 bind
request returned ok.
[2007/09/18 17:36:39, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine MYPDC pipe \lsarpc fnum 0x74c2 bind
request returned ok.
[2007/09/18 17:36:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2007/09/18 17:36:39, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from remote machine MYPDC pipe
\lsarpc fnum 0x74c2!
[2007/09/18 17:36:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8



I also have a member server running Samba 3.024 on Fedora Core 6.
Winbind does not generate this error.  I also don't get this error if
I run winbindd on the PDC (although I don't  have any need to, since
group mapping is working fine on that machine.)

I have not setup winbind entries in nsswitch.conf on any  server.
(Not sure if I need to and whether it will cause issues with unix
level logins.)

Thanks








----------------------------------------------------------------------------------------
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
To: 	samba <samba at lists.samba.org>
Subject: 	[Samba] group mapping on a member server
Date: 	Mon, 17 Sep 2007 17:18:00 -0400


I have installed a Samba 3.025a PDC and 2 member servers. All on
solaris.   (The Samba PDC replaced a NT4 PDC. Account data was
migrated with the "net vampire" command.)  All solaris machines use
NIS.  On the PDC i created group mappings between the NIS groups and
the Windows groups.

I can access file shares on all machines from Win XP or Win 2000
clients.  On the security properties of a directory on the PDC , I can
view and set user and group permissions.  The users and groups show
the correct doman.  For example, assuming the domain is "ACME",

    "johnsmith (ACME\johnsmith)"
    "sales (ACME\sales)"

On the member server shares, I can attempt to add users and groups
from the "ACME" domain, but they don't stick.  Permissions set on the
unix level show up as

    "johnsmith (unix user\johnsmith)"
    "sales (unix group\sales)"


This is the sunfreeware build of samba, with acl support enabled by
default.  Solaris supports acl's so I can add multiple groups or users
on the solaris level.  And I do seem to have the proper access.

Logs on the member servers show

[2007/09/17 16:02:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1423)

  create_canon_ace_lists: unable to map SID S-xyzxyz--xyzxyz-xyzxyz to
uid or gid.
)

When I created the group mappings, I explicitly set RID's.  (Domain
Admins = 512, sales=10001 etc)


I am not running Winbind on any machine since I am not attempting to
do unix level authentication against the samba accounts.

Advice is appreciated

Thanks

More information about the samba mailing list