[Samba] Access and group issues on domain member server (PDC is Samba as well)

Daniel Müller mueller at tropenklinik.de
Wed Aug 1 05:22:34 MDT 2012


Hi there,

try : id youruser.ldap on the memberserver,
ex.:

[root at tuepdc ~]# id tester
uid=1010(tester) gid=513(Domain Users) Gruppen=513(Domain
Users),2154(orbis),34709(Dienstplan),61092(HS3),47140(DIFAEM),17162(agfa),29
998(OpenHearts),26630(Personal),27525(pflege),19307(agaterm),46212(TerminalS
erver User)

Should id not work there is something wrong.
Maybe your ldapclient is not working properly.

Good luck
Daniel



-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Philipp Felix Hoefler
Gesendet: Mittwoch, 1. August 2012 11:52
An: samba at lists.samba.org
Betreff: [Samba] Access and group issues on domain member server (PDC is
Samba as well)

Hi List,

I created a domain member server in my samba domain.
I start to realize that there are some issues when colleagues could not
access some folders in the their shares.
After searching for a solution I found that on that member server I have no
"samba" groups available.

First of all my setup:
Domain controller:
CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo:
samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo:
openldap-2.4.23-20.el6.x86_64)

Domain member:
exact same OS and versions as on domain controller also with LDAP backend

I followed the instructions from
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure
7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the
member server.
(BTW: If anyone on this list has access to this guide: Paragraph 8: the
"wbinfo --set-auth-user=" has been replaced with "net setauthuser") Both
servers access the same LDAP directory for the linux accounts and for Samba
incl. IDMAPs Everything in this guide worked as described.

"getent passwd" and "getent groups" works successfully on both servers
(shows all entries from LDAP) "net rpc group list" shows all groups
correctly on the PDC "net groupmap list" shows all group mappings correctly
on the PDC

On the member server though:
"net rpc group list" only gives me Administrators and Users "net groupmap
list" only gives me:
Administrators (S-1-5-32-544) -> 16777216 Users (S-1-5-32-545) -> 16777217

I also tried to run winbind on the domain member, domain member+PDC and
whithout winbind at all (We only have this one domain, do I even need
winbind then? As I understood it would only be needed if I have multiple
domains running. Is this correct?) But these commands always show me the
same output on the member server.

Should this commands even produce more output on domain members? Or is it
just for PDCs?

smb.confs from both servers are added at the end.

Thanks in advance!
best regards,
philipp

PS: some additional info to our "folder sharing system":
All users only connect to their home-share. Inside this share we add
symbolic links to the allowed group shares of the user.
This group share folders are owned by root, group is one of the
(allowed) Usergroups. Directory mask is 770, group-sticky bit is set.


smb.conf from PDC:

[root at srvad1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated Processing section
"[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
     workgroup = ATV
     server string = SRVAD1
     interfaces = 192.168.249.0/24, 127.0.0.1/8
     passdb backend = ldapsam:ldap://192.168.249.7/
     log file = /var/log/samba/%m.log
     max log size = 50
     smb ports = 139
     time server = Yes
     unix extensions = No
     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
     printcap name = CUPS
     add user script = /usr/sbin/smbldap-useradd -m
     add group script = /usr/sbin/smbldap-groupadd -p "%g"
     add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
     set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u
     add machine script = /usr/sbin/smbldap-useradd -w "%u"
     logon script = login.bat
     logon path =
     logon drive = U:
     logon home = \\SRVFILE1\%U
     domain logons = Yes
     os level = 65
     preferred master = Auto
     domain master = Yes
     dns proxy = No
     wins support = Yes
     ldap admin dn = cn=Manager,dc=at-visions,dc=com
     ldap delete dn = Yes
     ldap group suffix = ou=Groups,o=default
     ldap machine suffix = ou=Computers,ou=Samba,ou=System
     ldap passwd sync = yes
     ldap suffix = dc=at-visions,dc=com
     ldap ssl = no
     ldap user suffix = ou=Users,o=default
     idmap uid = 16777216-33554431
     idmap gid = 16777216-33554431
     cups options = raw
     case sensitive = No
     veto files = /.*/
     hide files = /.*/
     locking = No
     wide links = Yes
     dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[netlogon]
     path = /home/samba/netlogon
     share modes = No

[printers]
     comment = All Printers
     path = /var/spool/samba
     printable = Yes
     browseable = No

[print$]
     comment = Printer Drivers
     path = /var/lib/samba/printers
     write list = @adm, root
     guest ok = Yes

smb.conf from domain member:

[root at srvfile1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
     unix charset = LOCALE
     workgroup = ATV
     server string = SRVFILE1
     interfaces = 192.168.249.0/24, 127.0.0.1/8
     security = DOMAIN
     log level = 4 ads:10 auth:10 sam:10
     syslog = 0
     log file = /var/log/samba/%m.log
     max log size = 50
     smb ports = 139
     name resolve order = wins bcast hosts
     unix extensions = No
     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
     os level = 65
     wins server = 192.168.249.1
     ldap admin dn = cn=Manager,dc=at-visions,dc=com
     ldap group suffix = ou=Groups,o=default
     ldap idmap suffix = ou=Idmap,ou=Samba,ou=System
     ldap machine suffix = ou=Computers,ou=Samba,ou=System
     ldap suffix = dc=at-visions,dc=com
     ldap ssl = no
     ldap user suffix = ou=Users,o=default
     case sensitive = No
     veto files = /.*/
     hide files = /.*/
     locking = No
     wide links = Yes
     dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]
     comment = Home Directories
     valid users = %S
     read only = No
     create mask = 0660
     force directory mode = 02770
     veto files = /*Maildir*/*.procmail*/*.spam*/*.profile*/.bash*/
     browseable = No
     level2 oplocks = No

Stats from PDC:
[root at srvad1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-125.el6.x86_64
samba-winbind-3.5.10-125.el6.x86_64
samba-winbind-clients-3.5.10-125.el6.x86_64
samba-client-3.5.10-125.el6.x86_64
[root at srvad1 samba]# rpm -qa | grep ldap smbldap-tools-0.9.8-1.el6.noarch
openldap-2.4.23-20.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-clients-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
[root at srvad1 samba]# net rpc group list
Enter root's password:
Admins
Default
Domain Admins
Domain Users
IT
VISIONS
termuser
GL
mailOnly
Marketing
FUTURE
WEB
Projects
OMCmonitor
ATVASIA
ATVAUSTRIA
Domain Computers
TimeSheetReports
[root at srvad1 samba]# net groupmap list
Admins (S-1-5-21-3998129111-2374863605-1514640864-3005) -> Admins Default
(S-1-5-21-3998129111-2374863605-1514640864-3007) -> Default Domain Admins
(S-1-5-21-3998129111-2374863605-1514640864-512) -> Domain Admins Domain
Users (S-1-5-21-3998129111-2374863605-1514640864-513) -> Domain Users IT
(S-1-5-21-3998129111-2374863605-1514640864-3207) -> IT VISIONS
(S-1-5-21-3998129111-2374863605-1514640864-3211) -> VISIONS termuser
(S-1-5-21-3998129111-2374863605-1514640864-3217) -> termuser GL
(S-1-5-21-3998129111-2374863605-1514640864-3099) -> GL mailOnly
(S-1-5-21-3998129111-2374863605-1514640864-3125) -> mailOnly Marketing
(S-1-5-21-3998129111-2374863605-1514640864-3139) -> Marketing FUTURE
(S-1-5-21-3998129111-2374863605-1514640864-3141) -> FUTURE WEB
(S-1-5-21-3998129111-2374863605-1514640864-3143) -> WEB Projects
(S-1-5-21-3998129111-2374863605-1514640864-3145) -> Projects OMCmonitor
(S-1-5-21-3998129111-2374863605-1514640864-3149) -> OMCmonitor ATVASIA
(S-1-5-21-3998129111-2374863605-1514640864-3151) -> ATVASIA ATVAUSTRIA
(S-1-5-21-3998129111-2374863605-1514640864-3153) -> ATVAUSTRIA Domain
Computers (S-1-5-21-3998129111-2374863605-1514640864-515) -> Domain
Computers TimeSheetReports (S-1-5-21-3998129111-2374863605-1514640864-3159)
-> TimeSheetReports

Stats from domain member:
[root at srvfile1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-116.el6_2.x86_64
samba-winbind-3.5.10-116.el6_2.x86_64
samba-winbind-clients-3.5.10-116.el6_2.x86_64
[root at srvfile1 samba]# rpm -qa | grep ldap
openldap-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
[root at srvfile1 samba]# net rpc group list Enter root's password:
Administrators
Users
[root at srvfile1 samba]# net groupmap list Administrators (S-1-5-32-544) ->
16777216 Users (S-1-5-32-545) -> 16777217



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list