[Samba] Something weird about pdbedit.
BOURIAUD
david.bouriaud at ac-rouen.fr
Thu Mar 12 10:15:25 GMT 2009
On Wednesday 11 March 2009 16:44:48 Harry Jede wrote:
> Am Mittwoch, 11. März 2009 15:38 schrieb BOURIAUD:
Hello again !
> You can only have ONE group with ONE gidNumber.
>
> BAD SETUP begin:
> dn: cn=cdti,ou=Group,BASEDN
> objectClass: posixGroup
> objectClass: top
> cn: cdti
> userPassword: {crypt}x
> gidNumber: 666
>
> Here is how the samba group is defined :
>
> dn: cn=CDTI,ou=Groups,BASEDN
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: CDTI
> description::
> Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
> 1hdGlvbg==
> sambaGroupType: 2
> memberUid: david
> gidNumber: 666
> sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
> BAD SETUP end:
>
> Combine these in a way, that you have only one group with the name cdti.
Thanks for your clear explanations. I see now where my mistake is and I'll try
to correct them.
There seems to be something somehow cloudy in my mind about all that. Since
I'm working on a server that serves all our users, I can't afford to put it
down or to break everything while people are working. So, I just make few
tries, and if it's wrong, I go back. Here is what I've tried :
I just changed CDTI gid from 666 to 10666. Since my account was linked to 666
group, I changed the value of my gidNumber to 10666. Everything went then find
according to pdbedit. No error occured when I did a pdbedit -v on my username.
But after that, I couldn't access files on the samba shares. I got a
NT_STATUS_PERMISSION_DENIED.
>
> for example:
> delete cn=cdti,ou=Group,BASEDN
> and it may be fine.
>
So, I then went back to the original settings, and as you suggested, deleted
the cdti entry.
With this setup, I have a group called CDTI, with gid 666 and sambaSID =
SSID-666.
My user has group gid set to 666. So this should be fine.
But, once again when I try a pdbedit -v user, I get, among other things the
following :
lookup_global_sam_rid: looking up RID 666.
smbldap_search_ext: base => [BASEDN], filter =>
[(&(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
(objectclass=sambaSamAccount))], scope => [2]
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-215069222-2822928016-2390355089-666] count=0
smbldap_search_ext: base => [ou=Groups,BASEDN], filter =>
[(&(objectClass=sambaGroupMapping)
(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope => [2]
init_group_from_ldap: Entry found for group: 666
lookup_rids: CDTI:2
Is the "Unable to locate SID" normal ?
And why the hell does pdbedit find two rids for CDTI since I deleted all that
refered to the group I deleted ?
There are so many things I don't understand about all this.
If one can explain to me, that would be great. Thanks in advance for any help
or any link to a comprehensive doc one would give me.
I've read many a doc, but all the one I've read take it plain that the reader
knows at least many things about how to setup a samba pdc controller with
ldap, which is not my case.
I really wish I hadn't any windows machine on my network, things would be
easier for me.
>
> You should not have different groups with the same name, even if one is
> in uppercase and the other in lowercase letters.
I really thought that a lowercase and an uppercase name was not the same,
thanks for this. And thanks again for your answer, I understand things more
clearly now, even if it's not perfect.
>
> Gruss
> Harry Jede
More information about the samba
mailing list