[Samba] Strange PDC issue

Mailing List SVR lists at svrinformatica.it
Sun Jun 1 19:52:20 GMT 2008 

Il giorno dom, 01/06/2008 alle 21.14 +0200, Mailing List SVR ha scritto:
> Il giorno sab, 31/05/2008 alle 21.01 +0200, Mailing List SVR ha scritto:
> > Hi all,
> > 
> > I have a really strange PDC issue: 
> > 
> > windows clients are able to join and to login, however some clients have
> > permissions issue on their local machine, for example they cannot modify
> > settings suck as menubar, folder view, set quick start shortcuts ecc...
> > so they cannot use the pc. However if they create a desktop file or
> > folder on logoff their profiles are correctly updated.
> > 
> > On the same machine some users can do these things and some other
> > cannot. The users are all local machine administrators.
> > 
> > Google seems doesn't help. Someone with this really strange issue?
> > 
> > my system is centos 5.1 (all updates applied) with default samba
> > (3.0.25) 
> > 
> > in my logs nothing seems interesting
> > 
> > here is my configuration:
> > 
> > [global]
> > unix charset = ISO-8859-15
> > display charset = ISO-8859-15
> > workgroup = PDC
> > server string = Server di dominio 
> > interfaces = lo, eth0
> > bind interfaces only = Yes
> > obey pam restrictions = Yes
> > passdb backend = tdbsam
> > pam password change = Yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n
> > *Password*changed*
> > username map = /etc/samba/smbusers
> > unix password sync = Yes
> > log level = 1
> > syslog = 0
> > log file = /var/log/samba/%m.log
> > max log size = 100
> > name resolve order = wins bcast hosts
> > time server = Yes
> > printcap name = CUPS
> > show add printer wizard = No
> > add user script = /usr/sbin/useradd "%u" -n -g users
> > delete user script = /usr/sbin/userdel "%u"
> > add group script = /usr/sbin/groupadd "%g"
> > delete group script = /usr/sbin/groupdel "%g"
> > add user to group script = /usr/sbin/usermod -G '%g' '%u'
> > delete user from group script = /usr/sbin/userdel "%u" "%g"
> > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> > -d /nohome -s /bin/false "%u"
> > abort shutdown script = /sbin/shutdown -c
> > logon script = scripts\logon.bat
> > logon path = \\%L\profiles\%U
> > logon drive = H:
> > logon home = \\%L\%U
> > domain logons = Yes
> > os level = 255
> > preferred master = Yes
> > domain master = Yes
> > dns proxy = No
> > wins support = Yes
> > invalid users = bin, deamon, sys, man, postfix, mail, ftp
> > admin users = root
> > hosts allow = 127., 192.168.2.
> > map acl inherit = Yes
> > printing = cups
> > cups options = raw
> > print command = 
> > lpq command = %p
> > lprm command = 
> > hide unreadable = Yes
> > veto files = /*.eml/*.nws/*.{*}/
> > veto oplock files = /*.doc/*.xls/*.mdb/
> > 
> > [homes]
> > comment = Home Directories
> > valid users = %S
> > read only = No
> > browseable = No
> > 
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > guest ok = Yes
> > printable = Yes
> > use client driver = Yes
> > browseable = No
> > 
> > [netlogon]
> > comment = Network Logon Service
> > path = /home/samba/netlogon
> > guest ok = Yes
> > locking = No
> > share modes = No
> > 
> > [Profiles]
> > comment = Roaming Profile Share
> > path = /home/samba/profiles
> > read only = No
> > profile acls = Yes
> > case sensitive = No
> > preserve case = No
> > short preserve case = No
> > hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> > browseable = No
> > csc policy = disable
> > 
> > 
> > thanks
> > Nicola
> > 
> 
> I just updated to 3.0.28 (srpm from rhel 5 update 2) but still the same
> issue.
> 
> net groupmap list
> 
> give this result:
> 
> Domain Users (S-1-5-21-487449451-2765197844-2627020230-1002) -> users
> Produzione (S-1-5-21-487449451-2765197844-2627020230-1004) -> produzione
> Vss (S-1-5-21-487449451-2765197844-2627020230-1006) -> vss
> Domain Admins (S-1-5-21-487449451-2765197844-2627020230-1001) -> root
> Domain Guests (S-1-5-21-487449451-2765197844-2627020230-1003) -> nobody
> Amministrazione (S-1-5-21-487449451-2765197844-2627020230-1005) ->
> amministrazione
> 
> If I remember the last part of "Domain User" was 513 and not 1002, can
> this create issues?
> 
> thanks
> Nicola
> 

I remapped windows group and unix group 

net groupmap add rid=512 ntgroup="Domain Admins"  unixgroup=root type=d
net groupmap add rid=513 ntgroup="Domain Users"   unixgroup=users type=d
net groupmap add rid=514 ntgroup="Domain Guests"  unixgroup=nobody
type=d
net groupmap add rid=547 ntgroup="Power Users"    unixgroup=wheel type=d


now:

net groupmap list
Produzione (S-1-5-21-487449451-2765197844-2627020230-1020) -> produzione
Vss (S-1-5-21-487449451-2765197844-2627020230-1022) -> vss
Power Users (S-1-5-21-487449451-2765197844-2627020230-547) -> wheel
Amministrazione (S-1-5-21-487449451-2765197844-2627020230-1021) ->
amministrazione
Domain Users (S-1-5-21-487449451-2765197844-2627020230-513) -> users
Domain Admins (S-1-5-21-487449451-2765197844-2627020230-512) -> root
Domain Guests (S-1-5-21-487449451-2765197844-2627020230-514) -> nobody

if I add an user to the root group all is fine, however "Domain Users"
have the problems described above


regards,
Nicola

More information about the samba mailing list