[Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Mark Sheard
marksheard at yahoo.com
Wed Jun 30 00:30:37 MDT 2010
Good Morning to all,
Sorry if this is spam to some of you, not sure if this
is more technical or not...
Considering i have been fighting for a week now on this trying all
possible checks and configs out there on the net, i thought i better
come to the experts. ;o)
My last resort is to upgrade to latest samba ver which might help but i
think the bug was not fixed in this version not sure.. :o\
I have Ubuntu version 10.04
Samba ver "3.0.28a-1ubuntu4.12"
Here is the Bug/problem:
I am unable to list Domain "Local Groups" but Domain "Global Groups"
are fine in winbind. I would like to know winbind is working with
"Local Groups" first before configuring apache to authenticate to a local
group and the rest...
I have configured a Samba Member server (Nagios) to talk to a NT Domain PDC.
Here is my Samba cfg.
root at wfmmon-GBL:/downloads# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = NAMEOFDOMAIN
server string = %h server (Samba, Ubuntu)
security = DOMAIN
map to guest = Bad User
obey pam restrictions = Yes
password server = PDCSVR BDCSVR2 BDCSVR3_CF BDCSVR4 BDCSVR5_cf
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = lmhosts host wins bcast
unix extensions = No
printcap name = cups
disable spoolss = Yes
preferred master = No
local master = No
domain master = No
wins server = 192.168.0.0.1 #( not the real ip)
usershare allow guests = Yes
usershare max shares = 10
panic action = /usr/share/samba/panic-action %d
idmap uid = 1000-200000
idmap gid = 1000-200000
template shell = /bin/bash
winbind separator = +
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
invalid users = root
wide links = No
root at wfmmon-GBL:/downloads#
Domain Local group NAGMONGBL
Domain Global group Domain Users
Example:
I am able to do
****
root at wfmmon-GBL:/downloads# wbinfo --group-info="Domain Users"
domain users:x:10004
root at wfmmon-GBL:/downloads#
****
But NOT
****
root at wfmmon-GBL:/downloads# wbinfo --group-info="NAGMONGBL"
Could not get info for group NAGMONGBL
root at wfmmon-GBL:/downloads#
****
Checking error logs reveals
****
root at wfmmon-GBL:/downloads# tail -25 /var/log/samba/log.winbindd
[2010/06/30 07:15:55, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
could not lookup membership for group sid "SIDNUMBER" in domain NAMEOFDOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
****
I am able to resolve the sid to name
****
root at wfmmon-GBL:/downloads# wbinfo --sid-to-name="SIDNUMBER"
NAMEOFDOMAIN+nagmongbl 4
****
Additional stuff i tried with group mapping i get
the same error as above with (wbinfo --group-info="NAGMONGBL"):
nagmongbl is our local group..
BUILTIN+users is also a local group but works :o\
root at wfmmon-GBL:/downloads# net groupmap list
nagmongbl (S-1-5-21-1420701450-S-I-D-Number) -> nagmonglb
Administrators (S-1-5-32-544) -> BUILTIN+administrators
Users (S-1-5-32-545) -> BUILTIN+users
root at wfmmon-GBL:/downloads# getent group nagmonglb
nagmonglb:x:10770:
root at wfmmon-GBL:/downloads# getent group nagmongbl
root at wfmmon-GBL:/downloads#
root at wfmmon-GBL:/downloads# getent group "BUILTIN+users"
BUILTIN+users:x:10001:administrator,iusr_svr_cf,svr$,svr3$,iwam_svvr_cf,iusr_srv_cf,iwam_svr342_cf,wfmmon-gbl$
root at wfmmon-GBL:/downloads#
If it comes down to Samba version :
Considering Samba upgrades what would be the best approach?
to remove or install over the top of existing installation?
Thanks in advance for any input, help, direction that can
be provided here.
Regards
Mark
More information about the samba
mailing list