[Samba] Samba LDAP ignores group information

alexander at nautae.eti.br alexander at nautae.eti.br
Tue Jul 27 12:05:30 MDT 2010 

Hi.

Excuse my English.

I've installed Samba+OpenLDAP as a PDC.

Everything works fine but Samba ignores completely group information.

Linux is ok.

Any clue? I'm going crazy here!

Here's the sittuation:

user: fish1
home dir: /home/reaml/swim/fish1
primary group: swimmers
other groups: smokers

Directory of smoker's group: /home/realm/smokers

Here's an 'ls -l' on smoker's parent dir:

drwxrws--- 19 cigarr smokers    2208 Jul 27  2010 smokers


Here's the share:

[smokers]
        comment = Smoking
        path = /home/realm/smokers
        valid users = @smokers @swimmers @support
        public = no
        writable = yes
        browseable = yes
        create mask = 0777
        force create mode = 0777
        force directory mode = 0777
        directory mode = 0777

Here's 'id' information:

# id fish1
uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers)


So, when user fish1 try to enter in 'smokers' share: permission denied.

If I give all permissions to 'others', fish1 can user the share normally.

This only happen when I try to access using Windows. Linux is ok.

Any idea?

Seems to be an error between Samba and OpenLDAP...

Here's smbldap-usershow:

#smbldap-usershow fish1

dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: fish1
sn: fish1
givenName: fish1
uid: fish1
uidNumber: 1193
gidNumber: 1012
homeDirectory: /home/realm/swim/fish1
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: angela
sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001
sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002
sambaLogonScript: swimmers.bat
sambaProfilePath: \\REALMSERV\profiles\fish1
sambaHomePath: \\REALMSERV\fish1
sambaHomeDrive: U:
sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E
sambaAcctFlags: [U]
sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF
sambaPwdLastSet: 1280219188
sambaPwdMustChange: 2144132788
userPassword: {CRYPT}c28JIqzpe43e
shadowLastChange: 14817
shadowMax: 9999

Here's /etc/ldap.conf

base dc=example,dc=com
uri ldapi:///127.0.0.1
uri ldap://127.0.0.1
ldap_version 3
binddn cn=admin,dc=example,dc=com
bindpw mysecret
rootbinddn cn=admin,dc=example,dc=com
scope sub
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr yes
pam_member_attribute memberUid
pam_password md5
nss_base_passwd ou=people,dc=example,dc=com?sub
nss_base_passwd ou=computers,dc=example,dc=com?sub
nss_base_group  ou=groups,dc=example,dc=com?sub

And the smbldap.conf:

SID="S-1-5-21-158730468-2379596502-3695168017"
sambaDomain="REALM"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile=""
clientcert=""
clientkey=""
suffix="dc=example,dc=com"
usersdn="ou=people,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="CRYPT"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="543"
defaultComputerGid="543"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="9999"
userSmbHome="\\REALMSERV\%U"
userProfile="\\REALMSERV\profiles\%U"
userHomeDirectoryMode="700"
userHomeDrive="U:"
userScript="%g.bat"
mailDomain="example.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

And finaly, smb.conf:

   workgroup = REALM
   netbios name = REALMSERV
   server string = My Realm %v
   security = user
   encrypt passwords = yes
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   os level = 33
   local master = yes
   domain master = yes
   preferred master = yes
   domain logons = yes
   #admin users = god
   logon script = %g.bat
   logon path = \\%L\profiles\%U
   #logon path = \\%N\profiles\%U
   wins support = no
   dns proxy = no
   ldap passwd sync = yes
   ldap delete dn = yes
   passdb backend = ldapsam:ldap://127.0.0.1
   ldap admin dn = cn=admin,dc=example,dc=com
   ldap suffix = dc=example,dc=com
   ldap group suffix = ou=groups
   ldap user suffix = ou=people
   ldap machine suffix = ou=computers
   create mask = 600
   directory mask = 0700
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

I'm lost...

[]s
Alexander
Brazil

More information about the samba mailing list