[Samba] Something weird about pdbedit.

BOURIAUD david.bouriaud at ac-rouen.fr
Thu Mar 12 10:15:25 GMT 2009 

On Wednesday 11 March 2009 16:44:48 Harry Jede wrote:
> Am Mittwoch, 11. März 2009 15:38 schrieb BOURIAUD:

Hello again !

> You can only have ONE group with ONE gidNumber.
>
> BAD SETUP begin:
> dn: cn=cdti,ou=Group,BASEDN
> objectClass: posixGroup
> objectClass: top
> cn: cdti
> userPassword: {crypt}x
> gidNumber: 666
>
> Here is how the samba group is defined :
>
> dn: cn=CDTI,ou=Groups,BASEDN
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: CDTI
> description::
> Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
>  1hdGlvbg==
> sambaGroupType: 2
> memberUid: david
> gidNumber: 666
> sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
> BAD SETUP end:
>
> Combine these in a way, that you have only one group with the name cdti.

Thanks for your clear explanations. I see now where my mistake is and I'll try 
to correct them.
There seems to be something somehow cloudy in my mind about all that. Since 
I'm working on a server that serves all our users, I can't afford to put it 
down or to break everything while people are working. So, I just make few 
tries, and if it's wrong, I go back. Here is what I've tried :
I just changed CDTI gid from 666 to 10666. Since my account was linked to 666 
group, I changed the value of my gidNumber to 10666. Everything went then find 
according to pdbedit. No error occured when I did a pdbedit -v on my username.
But after that, I couldn't access files on the samba shares. I got a 
NT_STATUS_PERMISSION_DENIED.
>
> for example:
> delete cn=cdti,ou=Group,BASEDN
> and it may be fine.
>

So, I then went back to the original settings, and as you suggested, deleted 
the cdti entry.
With this setup, I have a group called CDTI, with gid 666 and sambaSID = 
SSID-666.
My user has group gid set to 666. So this should be fine.
But, once again when I try a pdbedit -v user, I get, among other things the 
following :

lookup_global_sam_rid: looking up RID 666.
smbldap_search_ext: base => [BASEDN], filter => 
[(&(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
(objectclass=sambaSamAccount))], scope => [2]
ldapsam_getsampwsid: Unable to locate SID 
[S-1-5-21-215069222-2822928016-2390355089-666] count=0
smbldap_search_ext: base => [ou=Groups,BASEDN], filter => 
[(&(objectClass=sambaGroupMapping)
(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope => [2]
init_group_from_ldap: Entry found for group: 666
lookup_rids: CDTI:2

Is the "Unable to locate SID" normal ?

And why the hell does pdbedit find two rids for CDTI since I deleted all that 
refered to the group I deleted ?
There are so many things I don't understand about all this.
If one can explain to me, that would be great. Thanks in advance for any help 
or any link to a comprehensive doc one would give me.
I've read many a doc, but all the one I've read take it plain that the reader 
knows at least many things about how to setup a samba pdc controller with 
ldap, which is not my case.
I really wish I hadn't any windows machine on my network, things would be 
easier for me.

>
> You should not have different groups with the same name, even if one is
> in uppercase and the other in lowercase letters.

I really thought that a lowercase and an uppercase name was not the same, 
thanks for this. And thanks again for your answer, I understand things more 
clearly now, even if it's not perfect.
>
> Gruss
> 	Harry Jede

More information about the samba mailing list