[Samba] Something weird about pdbedit.

Harry Jede walk2sun at arcor.de
Thu Mar 12 11:36:07 GMT 2009


Am Donnerstag, 12. März 2009 11:15 schrieb BOURIAUD:
> On Wednesday 11 March 2009 16:44:48 Harry Jede wrote:
> > Am Mittwoch, 11. März 2009 15:38 schrieb BOURIAUD:
>
> Hello again !
>
> > You can only have ONE group with ONE gidNumber.
> >
> > BAD SETUP begin:
> > dn: cn=cdti,ou=Group,BASEDN
> > objectClass: posixGroup
> > objectClass: top
> > cn: cdti
> > userPassword: {crypt}x
> > gidNumber: 666
> >
> > Here is how the samba group is defined :
> >
> > dn: cn=CDTI,ou=Groups,BASEDN
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > cn: CDTI
> > description::
> > Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
> >  1hdGlvbg==
> > sambaGroupType: 2
> > memberUid: david
> > gidNumber: 666
> > sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
> > BAD SETUP end:
> >
> > Combine these in a way, that you have only one group with the name
> > cdti.
>
> Thanks for your clear explanations. I see now where my mistake is and
> I'll try to correct them.
> There seems to be something somehow cloudy in my mind about all that.
> Since I'm working on a server that serves all our users, I can't
> afford to put it down or to break everything while people are
> working.
Hmmh...
common praxis is this not. Almost all admins use test systems. May be 
some virtual systems. 

> So, I just make few tries, and if it's wrong, I go back. 
> Here is what I've tried : I just changed CDTI gid from 666 to 10666.
> Since my account was linked to 666 group, I changed the value of my
> gidNumber to 10666. Everything went then find according to pdbedit.
> No error occured when I did a pdbedit -v on my username. But after
> that, I couldn't access files on the samba shares. I got a
> NT_STATUS_PERMISSION_DENIED.
May be you have a caching daemon like nscd on your system. If so, you 
must invalidate the group cache.
 nscd -i group
will do this normaly.

> > for example:
> > delete cn=cdti,ou=Group,BASEDN
> > and it may be fine.
>
> So, I then went back to the original settings, and as you suggested,
> deleted the cdti entry.
> With this setup, I have a group called CDTI, with gid 666 and
> sambaSID = SSID-666.
> My user has group gid set to 666. So this should be fine.
> But, once again when I try a pdbedit -v user, I get, among other
> things the following :
>
> lookup_global_sam_rid: looking up RID 666.
> smbldap_search_ext: base => [BASEDN], filter =>
> [(&(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
> (objectclass=sambaSamAccount))], scope => [2]
> ldapsam_getsampwsid: Unable to locate SID
> [S-1-5-21-215069222-2822928016-2390355089-666] count=0
> smbldap_search_ext: base => [ou=Groups,BASEDN], filter =>
> [(&(objectClass=sambaGroupMapping)
> (sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope =>
> [2] init_group_from_ldap: Entry found for group: 666
> lookup_rids: CDTI:2
>
> Is the "Unable to locate SID" normal ?
Yes, it is. Samba is searching for a user (objectclass=sambaSamAccount) 
with this rid.
So you see, you MUST also have uniq RIDs. You cannot have a user and a 
group with identical SID/RID. This comes from the M$-World, I 
believe :-( .

> And why the hell does pdbedit find two rids for CDTI since I deleted
> all that refered to the group I deleted ?
Has samba really found 2 groups with the same RID, or has samba found 2 
groups with the "same" name, ctdi and CTDI?

Try a ldapsearch:
ldapsearch -x -LLL -b BASEDN -s sub sambasid=*-666

ldapsearch -x -LLL -b BASEDN -s sub '(|(cn=ctdi)(uid=ctdi))' dn

By the way, ldap is case insensitive.

> There are so many things I don't understand about all this.
> If one can explain to me, that would be great. Thanks in advance for
> any help or any link to a comprehensive doc one would give me.
> I've read many a doc, but all the one I've read take it plain that
> the reader knows at least many things about how to setup a samba pdc
> controller with ldap, which is not my case.
I prefere to read the original documentation first. Even if its more 
work.

> I really wish I hadn't any windows machine on my network, things
> would be easier for me.
No way, our users like this kind of programms :-( .

> > You should not have different groups with the same name, even if
> > one is in uppercase and the other in lowercase letters.
>
> I really thought that a lowercase and an uppercase name was not the
> same, thanks for this.
In reality it is surely not the same. But do all programs, tools and 
their developer know this? 

> And thanks again for your answer, I understand 
> things more clearly now, even if it's not perfect.
>
> > Gruss
> > 	Harry Jede

-- 

Gruss
	Harry Jede


More information about the samba mailing list