[Samba] samba 3.4.3 DC breaks Windows groups

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Nov 23 20:06:34 MST 2009 

On the assumption that Unix systems (solaris and linux) will not like spaces
in names, I never created unix groups called "Domain Admins" and "Domain
Users" etc.  Instead I had  created "smb_domadmins" and "smb_domusers" etc
instead.   

I don't know if Windows systems actually pay attention to the name of the
group (e.g. "Domain Admins") or just the SID (e.g. S-1-5-21-****-512.)
We would have a similar issue with a group like "Human Resources" but not
with "Marketing."


On samba 3.0.x, setting "ldap group suffix" parameter is honored.  On Samba
3.4.x it seems to be ignored-  instead samba seems to read the entire ldap
tree (or at least from the "ldap suffix" parameter down.)     "pbedit -Lv
Administrator" on samba 3.4 will then complain about duplicate entries

BDC2# pdbedit -Lv Administrator
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: Administrator
ldapsam_getgroup: Duplicate entries for filter
(&(objectClass=sambaGroupMapping)
(gidNumber=512)): count=2



Since in this case if have both of the following objects in ldap

dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: top
cn: Domain Admins
description: Domain Admins
displayName: Domain Admins
gidNumber: 512
sambaGroupType: 2
sambaSID: S-1-5-21-******-512

AND

dn: cn=smb_domadmins,ou=group,o=mydomain.com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: groupOfUniqueNames
cn: domadmins
description: domadmins
displayName: domadmins
gidNumber: 512
memberUid: Administrator
.
sambaGroupType: 2
sambaSID:
...


I also noticed the following

Output from pdbedit on samba 3.4.x  includes

    ldapsam_getgroup

Output from pdbedit on samba 3.0.x includes

   init_group_from_ldap



I am not sure if that is somehow related.  

Thanks







-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Monday, November 23, 2009 4:41 PM
To: samba at lists.samba.org
Subject: samba 3.4.3 DC breaks Windows groups

I have the following setup:

     PDC:  Samba 3.0.37 on Solaris 10
     BDC1: Samba 3.0.37 on Solaris 10
     BDC2: Samba 3.4.3 on Solaris 10


Samba 3.0.37 is the bundled version of Samba.
Samba 3.4.3 is compiled from source.

BDC2 is a recent addition to the network.
All machine use LDAP as the backend for everything.  They use winbind to
handle a domain trust with another domain, but otherwise isn't needed.

On BDC2,  users do not appear to be in any groups  beyond Domain Users.


Group mapping seems OK on each DC.

BDC2# net groupmap list
Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins
Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers
Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests
Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines
Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc
Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins
Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins
Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users
Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests
Administrators (S-xxxx-544) -> xxxx
Users (S-xxxx-545) -> xxxx
BDC2#

The last two in the listing above were automatically created by 
winbind/idmap for a trusted domain.



Unix level group memberships are OK

BDC2# groups Administrator
smb_domadmins smb_domusers
BDC2#

Windows/Samba level group memberships are not

BDC2# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users
BDC2#


BDC2# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users
BDC2#


Same deal with regular users



Nt.  Not all unix groups are mapped to Windows groups.  However I 
believe all required "well known" windows groups are.

Ldap structure includes
     ou=people
     ou=group
     ou=smb_groups (where samba stores group mappings, ldap 
objectClass=sambaGroupMapping)





You can verify machine PDC or BDC is being used by an Windows client 
with the "echo %LOGONSERVER%" command.


If I logon as Domain Administrator to an  XP or Win 2003 machine that is 
using BDC2, I will not have any Administrator privileges.


smb.conf includes
     ldap group suffix = ou=smb_groups


(When I converted from tdb to ldap backend,  I already had unix groups 
in ldap and wasn't sure how stuff would import.     I don't think 
existing groups or group mappings imported so I had to manually retype 
the "net group map commands."  )

The "Domain Admins" sambaGroupMapping does include Administrator as a 
member.



BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC
MYDOMAIN\Administrator
MYDOMAIN\jsmith


BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
Enter Administrator's password:
MYDOMAIN\Administrator
MYDOMAIN\jsmith





Thanks

More information about the samba mailing list