[Samba] Access and group issues on domain member server (PDC is Samba as well)
Daniel Müller
mueller at tropenklinik.de
Wed Aug 1 05:22:34 MDT 2012
Hi there,
try : id youruser.ldap on the memberserver,
ex.:
[root at tuepdc ~]# id tester
uid=1010(tester) gid=513(Domain Users) Gruppen=513(Domain
Users),2154(orbis),34709(Dienstplan),61092(HS3),47140(DIFAEM),17162(agfa),29
998(OpenHearts),26630(Personal),27525(pflege),19307(agaterm),46212(TerminalS
erver User)
Should id not work there is something wrong.
Maybe your ldapclient is not working properly.
Good luck
Daniel
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Philipp Felix Hoefler
Gesendet: Mittwoch, 1. August 2012 11:52
An: samba at lists.samba.org
Betreff: [Samba] Access and group issues on domain member server (PDC is
Samba as well)
Hi List,
I created a domain member server in my samba domain.
I start to realize that there are some issues when colleagues could not
access some folders in the their shares.
After searching for a solution I found that on that member server I have no
"samba" groups available.
First of all my setup:
Domain controller:
CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo:
samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo:
openldap-2.4.23-20.el6.x86_64)
Domain member:
exact same OS and versions as on domain controller also with LDAP backend
I followed the instructions from
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure
7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the
member server.
(BTW: If anyone on this list has access to this guide: Paragraph 8: the
"wbinfo --set-auth-user=" has been replaced with "net setauthuser") Both
servers access the same LDAP directory for the linux accounts and for Samba
incl. IDMAPs Everything in this guide worked as described.
"getent passwd" and "getent groups" works successfully on both servers
(shows all entries from LDAP) "net rpc group list" shows all groups
correctly on the PDC "net groupmap list" shows all group mappings correctly
on the PDC
On the member server though:
"net rpc group list" only gives me Administrators and Users "net groupmap
list" only gives me:
Administrators (S-1-5-32-544) -> 16777216 Users (S-1-5-32-545) -> 16777217
I also tried to run winbind on the domain member, domain member+PDC and
whithout winbind at all (We only have this one domain, do I even need
winbind then? As I understood it would only be needed if I have multiple
domains running. Is this correct?) But these commands always show me the
same output on the member server.
Should this commands even produce more output on domain members? Or is it
just for PDCs?
smb.confs from both servers are added at the end.
Thanks in advance!
best regards,
philipp
PS: some additional info to our "folder sharing system":
All users only connect to their home-share. Inside this share we add
symbolic links to the allowed group shares of the user.
This group share folders are owned by root, group is one of the
(allowed) Usergroups. Directory mask is 770, group-sticky bit is set.
smb.conf from PDC:
[root at srvad1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated Processing section
"[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
workgroup = ATV
server string = SRVAD1
interfaces = 192.168.249.0/24, 127.0.0.1/8
passdb backend = ldapsam:ldap://192.168.249.7/
log file = /var/log/samba/%m.log
max log size = 50
smb ports = 139
time server = Yes
unix extensions = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = CUPS
add user script = /usr/sbin/smbldap-useradd -m
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = login.bat
logon path =
logon drive = U:
logon home = \\SRVFILE1\%U
domain logons = Yes
os level = 65
preferred master = Auto
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=at-visions,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups,o=default
ldap machine suffix = ou=Computers,ou=Samba,ou=System
ldap passwd sync = yes
ldap suffix = dc=at-visions,dc=com
ldap ssl = no
ldap user suffix = ou=Users,o=default
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
cups options = raw
case sensitive = No
veto files = /.*/
hide files = /.*/
locking = No
wide links = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[netlogon]
path = /home/samba/netlogon
share modes = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = @adm, root
guest ok = Yes
smb.conf from domain member:
[root at srvfile1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
unix charset = LOCALE
workgroup = ATV
server string = SRVFILE1
interfaces = 192.168.249.0/24, 127.0.0.1/8
security = DOMAIN
log level = 4 ads:10 auth:10 sam:10
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
unix extensions = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 65
wins server = 192.168.249.1
ldap admin dn = cn=Manager,dc=at-visions,dc=com
ldap group suffix = ou=Groups,o=default
ldap idmap suffix = ou=Idmap,ou=Samba,ou=System
ldap machine suffix = ou=Computers,ou=Samba,ou=System
ldap suffix = dc=at-visions,dc=com
ldap ssl = no
ldap user suffix = ou=Users,o=default
case sensitive = No
veto files = /.*/
hide files = /.*/
locking = No
wide links = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0660
force directory mode = 02770
veto files = /*Maildir*/*.procmail*/*.spam*/*.profile*/.bash*/
browseable = No
level2 oplocks = No
Stats from PDC:
[root at srvad1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-125.el6.x86_64
samba-winbind-3.5.10-125.el6.x86_64
samba-winbind-clients-3.5.10-125.el6.x86_64
samba-client-3.5.10-125.el6.x86_64
[root at srvad1 samba]# rpm -qa | grep ldap smbldap-tools-0.9.8-1.el6.noarch
openldap-2.4.23-20.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-clients-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
[root at srvad1 samba]# net rpc group list
Enter root's password:
Admins
Default
Domain Admins
Domain Users
IT
VISIONS
termuser
GL
mailOnly
Marketing
FUTURE
WEB
Projects
OMCmonitor
ATVASIA
ATVAUSTRIA
Domain Computers
TimeSheetReports
[root at srvad1 samba]# net groupmap list
Admins (S-1-5-21-3998129111-2374863605-1514640864-3005) -> Admins Default
(S-1-5-21-3998129111-2374863605-1514640864-3007) -> Default Domain Admins
(S-1-5-21-3998129111-2374863605-1514640864-512) -> Domain Admins Domain
Users (S-1-5-21-3998129111-2374863605-1514640864-513) -> Domain Users IT
(S-1-5-21-3998129111-2374863605-1514640864-3207) -> IT VISIONS
(S-1-5-21-3998129111-2374863605-1514640864-3211) -> VISIONS termuser
(S-1-5-21-3998129111-2374863605-1514640864-3217) -> termuser GL
(S-1-5-21-3998129111-2374863605-1514640864-3099) -> GL mailOnly
(S-1-5-21-3998129111-2374863605-1514640864-3125) -> mailOnly Marketing
(S-1-5-21-3998129111-2374863605-1514640864-3139) -> Marketing FUTURE
(S-1-5-21-3998129111-2374863605-1514640864-3141) -> FUTURE WEB
(S-1-5-21-3998129111-2374863605-1514640864-3143) -> WEB Projects
(S-1-5-21-3998129111-2374863605-1514640864-3145) -> Projects OMCmonitor
(S-1-5-21-3998129111-2374863605-1514640864-3149) -> OMCmonitor ATVASIA
(S-1-5-21-3998129111-2374863605-1514640864-3151) -> ATVASIA ATVAUSTRIA
(S-1-5-21-3998129111-2374863605-1514640864-3153) -> ATVAUSTRIA Domain
Computers (S-1-5-21-3998129111-2374863605-1514640864-515) -> Domain
Computers TimeSheetReports (S-1-5-21-3998129111-2374863605-1514640864-3159)
-> TimeSheetReports
Stats from domain member:
[root at srvfile1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-116.el6_2.x86_64
samba-winbind-3.5.10-116.el6_2.x86_64
samba-winbind-clients-3.5.10-116.el6_2.x86_64
[root at srvfile1 samba]# rpm -qa | grep ldap
openldap-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
[root at srvfile1 samba]# net rpc group list Enter root's password:
Administrators
Users
[root at srvfile1 samba]# net groupmap list Administrators (S-1-5-32-544) ->
16777216 Users (S-1-5-32-545) -> 16777217
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list