[Samba] Having problems with Samba and openLDAP Groups

Thu Jun 4 09:42:08 GMT 2009

On Wed, Jun 3, 2009 at 9:47 PM, Liutauras Adomaitis
<liutauras.adomaitis at gmail.com> wrote:
> On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt <mlb at imparisystems.com> wrote:
>> On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote:
>>
>> On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt <mlb at imparisystems.com>
>> wrote:
>>> Thanks for the help!  I appreciate you taking the time!
>>>
>>> On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote:
>>>
>>>> [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616)
>>>>  user 'mlb' (from session setup) not permitted to access this share
>>>> (Staff)
>>>> [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106)
>>>>  error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
>>>> NT_STATUS_ACCESS_DENIED
>>>
>>> i guess your user mib is not in group @Staff. What do you get with
>>> commands: smbldap-tools works only with ldap, it doesn't mean system
>>> sees those users.
>>> id mib
>>> getent passwd | grep mib
>>> getent group | grep -i staff
>>>
>>> id mlb
>>> uid=1000(mlb) gid=1000(mlb)
>>>
>>> groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain
>>> Users),1014(Staff)
>>>
>>> getent passwd | grep mlb
>>> mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash
>>> mlb:x:1009:544:mlb:/home/mlb:/bin/bash
>>> mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false
>>>
>>> getent group | grep -i Staff
>>> staff:x:50:
>>> Staff:x:1012:alex,mlb
>>> Staff:*:1014:mlb,alex
>>
>> You have 3 groups Staff and 2 users mib. This confuses me a bit. It
>> may be your problem. I think you should have only one user mib.
>> You should also make sure you have 1 group Staff. Check your "net
>> groupmap list" to see how does Staff group maps to windows group.
>>
>> Liutauras
>>
>> Those are deleted entries - they don't show up in either the webmin module
>> or phpldapadmin.  Here's the results from the net groupmap list
>>
>> Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) -> Domain
>> Admins
>> Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) -> Domain Users
>> Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) -> Domain
>> Guests
>> Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) -> Domain
>> Computers
>> Administrators (S-1-5-32-544) -> Administrators
>> Account Operators (S-1-5-32-548) -> Account Operators
>> Print Operators (S-1-5-32-550) -> Print Operators
>> Backup Operators (S-1-5-32-551) -> Backup Operators
>> Replicators (S-1-5-32-552) -> Replicators
>> Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) -> Staff
>>
>
> Hi,
> have you solved your problem? I've been busy a bit.
> You groupmap list looks nice, but I still think there is something to
> dig arround group membership.
> Some more things to check, if you didn't do that already:
> - smbldap-groupshow Staff - this should give an idea of gidNumber and
> SID of Staff group in ldap
> - do you run nscd? I had a lot of problems with it and ldap
> authentication. Samba Docs even say, that this is not supported if I
> remmeber correctly. nscd could be responsible of showing groups that
> are already deleted.
> - have tried using other group, like "Domain Users". If it works with
> other group then it is problem with your group Staff.
>
>
> Liutauras
>

PS
one more thing to do
nss_updatedb ldap group staff - this should refresh group memberships.