[Samba] User Manager for Domains -- Groups not showing

Ray Klassen rayklassen at gmail.com
Tue Feb 3 14:48:29 GMT 2009


Well here's the deal and I haven't tested it live yet, but it should work

-samba queries the groups with a wildcard search against sambaSID.
-sambaSID was set to be indexed by 'eq' not 'sub'
-sambaSID cannot be indexed by 'sub' without an updated schema. I used
the one from the samba3 package I just installed
-after changing the index type in slapd.conf, slapindex has to be run.
-after that wildcard searches against ou=groups, etc for the sambaSID
attribute work
-ergo, when I run this live, samba searches for group, should work as well

Thanks Volker for setting me on the right path.

My slapd.conf is a mishmash from several howto's from a time when I
understood less.

Is there an ideal setup for indexing?
currently I've got this

index objectClass               eq
index cn                        pres,sub,eq
index sn                        pres,sub,eq
index uid                       pres,sub,eq
index displayName               pres,sub,eq
index uidNumber                 eq
index gidNumber                 eq
index memberUID                 eq
index sambaSID                  eq
index sambaPrimaryGroupSID      eq
index sambaDomainName           eq
index sambaGroupType            eq
index sambaSIDList              eq
index uniqueMember              eq
index default                   sub


sambaSID will be changed, as of tonight some time. but are there any
other entries that are a pitfall for the future?

On Mon, Feb 2, 2009 at 3:37 PM, Ray Klassen <rayklassen at gmail.com> wrote:
> well that is the weirdest thing
>
> Just like the samba ldap request, it returns nothing
>
> although if I look at the record using
>
> ldapsearch -x -b ou=Groups,dc=thisdomain,dc=com '(&(cn=groupname*))
>
> ...the sambaSID attribute is there just like it should be, with the
> right number and everything.
>
> Would a slapindex be in order? or what'
>
>
> On Mon, Feb 2, 2009 at 10:17 AM, Volker Lendecke
> <Volker.Lendecke at sernet.de> wrote:
>> On Mon, Feb 02, 2009 at 09:16:06AM -0800, Ray Klassen wrote:
>>> One sanitized debug lo coming up. This is not using user manager for
>>> domains. This is with net rpc group list.
>>>
>>>
>>> > What you need to do is provide a debug level 10 log of smbd
>>> > trying to enumerate groups.
>>> >
>>> > Volker
>>> >
>>>
>>>   smbldap_search_paged: base => [ou=Groups,dc=thisdomain,dc=com],
>>> filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))],scope
>>> => [2], pagesize => [1024]
>>> [2009/02/02 08:41:20, 5] lib/smbldap.c:smbldap_search_ext(1182)
>>>   smbldap_search_ext: base => [ou=Groups,dc=thisdomain,dc=com], filter
>>> => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))],
>>> scope => [2]
>>> [2009/02/02 08:41:20, 3] lib/smbldap.c:smbldap_search_paged(1333)
>>>   smbldap_search_paged: search was successfull
>>> [2009/02/02 08:41:20, 10] rpc_server/srv_samr_nt.c:_samr_query_dispinfo(1289)
>>>   samr_reply_query_dispinfo: starting group enumeration at index 0
>>> [2009/02/02 08:41:20, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>>>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2009/02/02 08:41:20, 5] rpc_parse/parse_samr.c:init_sam_dispinfo_3(1810)
>>>   init_sam_dispinfo_3: num_entries: 0
>>
>> To me this looks as if you don't have any groups in your
>> LDAP tree under ou=Groups,dc=thisdomain,dc=com. You should
>> be able to do the exact same search with ldapsearch:
>>
>> ldapsearx -x -b ou=Groups,dc=thisdomain,dc=com '(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))'
>>
>> and see what comes back.
>>
>> Volker
>>
>


More information about the samba mailing list