[Samba] samba 3.4.3 DC breaks Windows groups
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Nov 23 14:40:30 MST 2009
I have the following setup:
PDC: Samba 3.0.37 on Solaris 10
BDC1: Samba 3.0.37 on Solaris 10
BDC2: Samba 3.4.3 on Solaris 10
Samba 3.0.37 is the bundled version of Samba.
Samba 3.4.3 is compiled from source.
BDC2 is a recent addition to the network.
All machine use LDAP as the backend for everything. They use winbind to
handle a domain trust with another domain, but otherwise isn't needed.
On BDC2, users do not appear to be in any groups beyond Domain Users.
Group mapping seems OK on each DC.
BDC2# net groupmap list
Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins
Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers
Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests
Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines
Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc
Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins
Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins
Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users
Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests
Administrators (S-xxxx-544) -> xxxx
Users (S-xxxx-545) -> xxxx
BDC2#
The last two in the listing above were automatically created by
winbind/idmap for a trusted domain.
Unix level group memberships are OK
BDC2# groups Administrator
smb_domadmins smb_domusers
BDC2#
Windows/Samba level group memberships are not
BDC2# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users
BDC2#
BDC2# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users
BDC2#
Same deal with regular users
Nt. Not all unix groups are mapped to Windows groups. However I
believe all required "well known" windows groups are.
Ldap structure includes
ou=people
ou=group
ou=smb_groups (where samba stores group mappings, ldap
objectClass=sambaGroupMapping)
You can verify machine PDC or BDC is being used by an Windows client
with the "echo %LOGONSERVER%" command.
If I logon as Domain Administrator to an XP or Win 2003 machine that is
using BDC2, I will not have any Administrator privileges.
smb.conf includes
ldap group suffix = ou=smb_groups
(When I converted from tdb to ldap backend, I already had unix groups
in ldap and wasn't sure how stuff would import. I don't think
existing groups or group mappings imported so I had to manually retype
the "net group map commands." )
The "Domain Admins" sambaGroupMapping does include Administrator as a
member.
BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC
MYDOMAIN\Administrator
MYDOMAIN\jsmith
BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
Enter Administrator's password:
MYDOMAIN\Administrator
MYDOMAIN\jsmith
Thanks
More information about the samba
mailing list