[Samba] Samba LDAP ignores group information

Ssureshot ssureshot at gmail.com
Tue Jul 27 12:14:18 MDT 2010


alexander at nautae.eti.br wrote:
> Hi.
>
> Excuse my English.
>
> I've installed Samba+OpenLDAP as a PDC.
>
> Everything works fine but Samba ignores completely group information.
>
> Linux is ok.
>
> Any clue? I'm going crazy here!
>
> Here's the sittuation:
>
> user: fish1
> home dir: /home/reaml/swim/fish1
> primary group: swimmers
> other groups: smokers
>
> Directory of smoker's group: /home/realm/smokers
>
> Here's an 'ls -l' on smoker's parent dir:
>
> drwxrws--- 19 cigarr smokers    2208 Jul 27  2010 smokers
>
>
> Here's the share:
>
> [smokers]
>         comment = Smoking
>         path = /home/realm/smokers
>         valid users = @smokers @swimmers @support
>         public = no
>         writable = yes
>         browseable = yes
>         create mask = 0777
>         force create mode = 0777
>         force directory mode = 0777
>         directory mode = 0777
>
> Here's 'id' information:
>
> # id fish1
> uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers)
>
>
> So, when user fish1 try to enter in 'smokers' share: permission denied.
>
> If I give all permissions to 'others', fish1 can user the share normally.
>
> This only happen when I try to access using Windows. Linux is ok.
>
> Any idea?
>
> Seems to be an error between Samba and OpenLDAP...
>
> Here's smbldap-usershow:
>
> #smbldap-usershow fish1
>
> dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com
> objectClass:
> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
> cn: fish1
> sn: fish1
> givenName: fish1
> uid: fish1
> uidNumber: 1193
> gidNumber: 1012
> homeDirectory: /home/realm/swim/fish1
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: angela
> sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001
> sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002
> sambaLogonScript: swimmers.bat
> sambaProfilePath: \\REALMSERV\profiles\fish1
> sambaHomePath: \\REALMSERV\fish1
> sambaHomeDrive: U:
> sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E
> sambaAcctFlags: [U]
> sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF
> sambaPwdLastSet: 1280219188
> sambaPwdMustChange: 2144132788
> userPassword: {CRYPT}c28JIqzpe43e
> shadowLastChange: 14817
> shadowMax: 9999
>
> Here's /etc/ldap.conf
>
> base dc=example,dc=com
> uri ldapi:///127.0.0.1
> uri ldap://127.0.0.1
> ldap_version 3
> binddn cn=admin,dc=example,dc=com
> bindpw mysecret
> rootbinddn cn=admin,dc=example,dc=com
> scope sub
> bind_policy soft
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_check_host_attr yes
> pam_member_attribute memberUid
> pam_password md5
> nss_base_passwd ou=people,dc=example,dc=com?sub
> nss_base_passwd ou=computers,dc=example,dc=com?sub
> nss_base_group  ou=groups,dc=example,dc=com?sub
>
> And the smbldap.conf:
>
> SID="S-1-5-21-158730468-2379596502-3695168017"
> sambaDomain="REALM"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> verify="require"
> cafile=""
> clientcert=""
> clientkey=""
> suffix="dc=example,dc=com"
> usersdn="ou=people,${suffix}"
> computersdn="ou=computers,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> scope="sub"
> hash_encrypt="CRYPT"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userGecos="System User"
> defaultUserGid="543"
> defaultComputerGid="543"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="9999"
> userSmbHome="\\REALMSERV\%U"
> userProfile="\\REALMSERV\profiles\%U"
> userHomeDirectoryMode="700"
> userHomeDrive="U:"
> userScript="%g.bat"
> mailDomain="example.com"
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
> And finaly, smb.conf:
>
>    workgroup = REALM
>    netbios name = REALMSERV
>    server string = My Realm %v
>    security = user
>    encrypt passwords = yes
>    load printers = yes
>    log file = /var/log/samba/log.%m
>    max log size = 50
>    os level = 33
>    local master = yes
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    #admin users = god
>    logon script = %g.bat
>    logon path = \\%L\profiles\%U
>    #logon path = \\%N\profiles\%U
>    wins support = no
>    dns proxy = no
>    ldap passwd sync = yes
>    ldap delete dn = yes
>    passdb backend = ldapsam:ldap://127.0.0.1
>    ldap admin dn = cn=admin,dc=example,dc=com
>    ldap suffix = dc=example,dc=com
>    ldap group suffix = ou=groups
>    ldap user suffix = ou=people
>    ldap machine suffix = ou=computers
>    create mask = 600
>    directory mask = 0700
>    passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> I'm lost...
>
> []s
> Alexander
> Brazil
>   
It sounds as though the groups arn't mapped for windows within samba..

try
# net groupmap list

does this give you any groups? are the groups your working with included?

How did you creat the groups ? smbldap-groupadd I hope?


More information about the samba mailing list