[Samba] Having problems with Samba and openLDAP Groups
liutauras.adomaitis at gmail.com
Wed Jun 3 18:47:40 GMT 2009
On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt <mlb at imparisystems.com> wrote:
> On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote:
> On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt <mlb at imparisystems.com>
>> Thanks for the help! I appreciate you taking the time!
>> On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote:
>>> [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616)
>>> user 'mlb' (from session setup) not permitted to access this share
>>> [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106)
>>> error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
>> i guess your user mib is not in group @Staff. What do you get with
>> commands: smbldap-tools works only with ldap, it doesn't mean system
>> sees those users.
>> id mib
>> getent passwd | grep mib
>> getent group | grep -i staff
>> id mlb
>> uid=1000(mlb) gid=1000(mlb)
>> getent passwd | grep mlb
>> mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash
>> getent group | grep -i Staff
> You have 3 groups Staff and 2 users mib. This confuses me a bit. It
> may be your problem. I think you should have only one user mib.
> You should also make sure you have 1 group Staff. Check your "net
> groupmap list" to see how does Staff group maps to windows group.
> Those are deleted entries - they don't show up in either the webmin module
> or phpldapadmin. Here's the results from the net groupmap list
> Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) -> Domain
> Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) -> Domain Users
> Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) -> Domain
> Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) -> Domain
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) -> Staff
have you solved your problem? I've been busy a bit.
You groupmap list looks nice, but I still think there is something to
dig arround group membership.
Some more things to check, if you didn't do that already:
- smbldap-groupshow Staff - this should give an idea of gidNumber and
SID of Staff group in ldap
- do you run nscd? I had a lot of problems with it and ldap
authentication. Samba Docs even say, that this is not supported if I
remmeber correctly. nscd could be responsible of showing groups that
are already deleted.
- have tried using other group, like "Domain Users". If it works with
other group then it is problem with your group Staff.
More information about the samba