[Samba] Having problems with Samba and openLDAP Groups

Liutauras Adomaitis liutauras.adomaitis at gmail.com
Wed Jun 3 18:47:40 GMT 2009 

On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt <mlb at imparisystems.com> wrote:
> On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote:
>
> On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt <mlb at imparisystems.com>
> wrote:
>> Thanks for the help!  I appreciate you taking the time!
>>
>> On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote:
>>
>>> [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616)
>>>  user 'mlb' (from session setup) not permitted to access this share
>>> (Staff)
>>> [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106)
>>>  error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
>>> NT_STATUS_ACCESS_DENIED
>>
>> i guess your user mib is not in group @Staff. What do you get with
>> commands: smbldap-tools works only with ldap, it doesn't mean system
>> sees those users.
>> id mib
>> getent passwd | grep mib
>> getent group | grep -i staff
>>
>> id mlb
>> uid=1000(mlb) gid=1000(mlb)
>>
>> groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain
>> Users),1014(Staff)
>>
>> getent passwd | grep mlb
>> mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash
>> mlb:x:1009:544:mlb:/home/mlb:/bin/bash
>> mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false
>>
>> getent group | grep -i Staff
>> staff:x:50:
>> Staff:x:1012:alex,mlb
>> Staff:*:1014:mlb,alex
>
> You have 3 groups Staff and 2 users mib. This confuses me a bit. It
> may be your problem. I think you should have only one user mib.
> You should also make sure you have 1 group Staff. Check your "net
> groupmap list" to see how does Staff group maps to windows group.
>
> Liutauras
>
> Those are deleted entries - they don't show up in either the webmin module
> or phpldapadmin.  Here's the results from the net groupmap list
>
> Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) -> Domain
> Admins
> Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) -> Domain Users
> Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) -> Domain
> Guests
> Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) -> Domain
> Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) -> Staff
>

Hi,
have you solved your problem? I've been busy a bit.
You groupmap list looks nice, but I still think there is something to
dig arround group membership.
Some more things to check, if you didn't do that already:
- smbldap-groupshow Staff - this should give an idea of gidNumber and
SID of Staff group in ldap
- do you run nscd? I had a lot of problems with it and ldap
authentication. Samba Docs even say, that this is not supported if I
remmeber correctly. nscd could be responsible of showing groups that
are already deleted.
- have tried using other group, like "Domain Users". If it works with
other group then it is problem with your group Staff.


Liutauras

More information about the samba mailing list