[Samba] Samba LDAP ignores group information
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Jul 27 14:07:56 MDT 2010
On 07/27/2010 03:38 PM, Daniel Deptuła wrote:
> W dniu 2010-07-27 20:05, alexander at nautae.eti.br pisze:
>> Hi.
>>
>> Excuse my English.
>>
>> I've installed Samba+OpenLDAP as a PDC.
>>
>> Everything works fine but Samba ignores completely group information.
>>
>> Linux is ok.
>>
>> Any clue? I'm going crazy here!
>>
>> Here's the sittuation:
>>
>> user: fish1
>> home dir: /home/reaml/swim/fish1
>> primary group: swimmers
>> other groups: smokers
>>
>> Directory of smoker's group: /home/realm/smokers
>>
>> Here's an 'ls -l' on smoker's parent dir:
>>
>> drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers
>>
>>
>> Here's the share:
>>
>> [smokers]
>> comment = Smoking
>> path = /home/realm/smokers
>> valid users = @smokers @swimmers @support
>> public = no
>> writable = yes
>> browseable = yes
>> create mask = 0777
>> force create mode = 0777
>> force directory mode = 0777
>> directory mode = 0777
>>
>> Here's 'id' information:
>>
>> # id fish1
>> uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers)
>>
>>
>> So, when user fish1 try to enter in 'smokers' share: permission denied.
>>
>> If I give all permissions to 'others', fish1 can user the share
>> normally.
>>
>> This only happen when I try to access using Windows. Linux is ok.
>>
>> Any idea?
>>
>> Seems to be an error between Samba and OpenLDAP...
>>
>> Here's smbldap-usershow:
>>
>> #smbldap-usershow fish1
>>
>> dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com
>> objectClass:
>> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
>>
>> cn: fish1
>> sn: fish1
>> givenName: fish1
>> uid: fish1
>> uidNumber: 1193
>> gidNumber: 1012
>> homeDirectory: /home/realm/swim/fish1
>> loginShell: /bin/bash
>> gecos: System User
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> displayName: angela
>> sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001
>> sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002
>> sambaLogonScript: swimmers.bat
>> sambaProfilePath: \\REALMSERV\profiles\fish1
>> sambaHomePath: \\REALMSERV\fish1
>> sambaHomeDrive: U:
>> sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E
>> sambaAcctFlags: [U]
>> sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF
>> sambaPwdLastSet: 1280219188
>> sambaPwdMustChange: 2144132788
>> userPassword: {CRYPT}c28JIqzpe43e
>> shadowLastChange: 14817
>> shadowMax: 9999
>>
>> Here's /etc/ldap.conf
>>
>> base dc=example,dc=com
>> uri ldapi:///127.0.0.1
>> uri ldap://127.0.0.1
>> ldap_version 3
>> binddn cn=admin,dc=example,dc=com
>> bindpw mysecret
>> rootbinddn cn=admin,dc=example,dc=com
>> scope sub
>> bind_policy soft
>> pam_filter objectclass=posixAccount
>> pam_login_attribute uid
>> pam_check_host_attr yes
>> pam_member_attribute memberUid
>> pam_password md5
>> nss_base_passwd ou=people,dc=example,dc=com?sub
>> nss_base_passwd ou=computers,dc=example,dc=com?sub
>> nss_base_group ou=groups,dc=example,dc=com?sub
>>
>> And the smbldap.conf:
>>
>> SID="S-1-5-21-158730468-2379596502-3695168017"
>> sambaDomain="REALM"
>> slaveLDAP="127.0.0.1"
>> slavePort="389"
>> masterLDAP="127.0.0.1"
>> masterPort="389"
>> ldapTLS="0"
>> verify="require"
>> cafile=""
>> clientcert=""
>> clientkey=""
>> suffix="dc=example,dc=com"
>> usersdn="ou=people,${suffix}"
>> computersdn="ou=computers,${suffix}"
>> groupsdn="ou=groups,${suffix}"
>> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>> scope="sub"
>> hash_encrypt="CRYPT"
>> userLoginShell="/bin/bash"
>> userHome="/home/%U"
>> userGecos="System User"
>> defaultUserGid="543"
>> defaultComputerGid="543"
>> skeletonDir="/etc/skel"
>> defaultMaxPasswordAge="9999"
>> userSmbHome="\\REALMSERV\%U"
>> userProfile="\\REALMSERV\profiles\%U"
>> userHomeDirectoryMode="700"
>> userHomeDrive="U:"
>> userScript="%g.bat"
>> mailDomain="example.com"
>> with_smbpasswd="0"
>> smbpasswd="/usr/bin/smbpasswd"
>> with_slappasswd="0"
>> slappasswd="/usr/sbin/slappasswd"
>>
>> And finaly, smb.conf:
>>
>> workgroup = REALM
>> netbios name = REALMSERV
>> server string = My Realm %v
>> security = user
>> encrypt passwords = yes
>> load printers = yes
>> log file = /var/log/samba/log.%m
>> max log size = 50
>> os level = 33
>> local master = yes
>> domain master = yes
>> preferred master = yes
>> domain logons = yes
>> #admin users = god
>> logon script = %g.bat
>> logon path = \\%L\profiles\%U
>> #logon path = \\%N\profiles\%U
>> wins support = no
>> dns proxy = no
>> ldap passwd sync = yes
>> ldap delete dn = yes
>> passdb backend = ldapsam:ldap://127.0.0.1
>> ldap admin dn = cn=admin,dc=example,dc=com
>> ldap suffix = dc=example,dc=com
>> ldap group suffix = ou=groups
>> ldap user suffix = ou=people
>> ldap machine suffix = ou=computers
>> create mask = 600
>> directory mask = 0700
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *passwd:*all*authentication*tokens*updated*successfully*
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> I'm lost...
>>
>> []s
>> Alexander
>> Brazil
>
> What version of Samba?
> What does this command return:
> net rpc user info fish1
>
> Daniel
>
Also check the ouput from
net groupmap list
For each "well known" group (e.g Domain Users") you should have a SID
defined (with a standard RID.) For example, Domain Users has RID of 513.
Groups you define (e.g "Swimmers") does not have to have a SID defined-
unix will still enforce the permissions- but can make life easier you do
defined a SID. The SID will have the domain component + uniqe RID
(relative ID.)
e.g
# net groupmap list
Domain Users (S-1-5-21-xxx-xxx-xxx-513) -> Domain Users
marketing (S-1-5-21-xxx-xxx-xxx-10001) -> marketing
...
#
More information about the samba
mailing list