[Samba] Access and group issues on domain member server (PDC is Samba as well)
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Aug 1 08:36:01 MDT 2012
I think there are two components-
1st I think the domain member does need to run winbind to retrieve
windows users and groups from the DC.
2nd, the domain member needs to have idmap configured correctly to make
sure that the windows users are properly mapped to the "local" unix
users, so that the unix/windows mappings are the same as on the DC..
(the fact that the "local" unix users are actually ldap accounts is not
known to the samba sevrer.)
In theory the idmap_nss backend should help keep idmap entries
consistent across Samba servers with a common LDAP backend. The
"idmap_nss" man page shows some examples. If you use idmap_nss on
both DC and server it should be consistent.
The other option is to use ldap for the idmap backend. See man
idmap_ldap. Your PDC should create idmap entries. I found I had to
then edit the entries to correct the uid or gid values to match the ldap
user values. I then tried configuring the member servers to use the
same ldap idmap backend, but read-only. It didn't really work and
this was before the idmap_nss option was available. In the end I
found it easier to convert some of my member servers to BDC's.
On 08/01/12 05:51, Philipp Felix Hoefler wrote:
> Hi List,
>
> I created a domain member server in my samba domain.
> I start to realize that there are some issues when colleagues could
> not access some folders in the their shares.
> After searching for a solution I found that on that member server I
> have no "samba" groups available.
>
> First of all my setup:
> Domain controller:
> CentOS 6.2 x86_64, latest updates installed
> Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64)
> LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64)
>
> Domain member:
> exact same OS and versions as on domain controller
> also with LDAP backend
>
> I followed the instructions from
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html (
> Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution)
> for adding the member server.
> (BTW: If anyone on this list has access to this guide: Paragraph 8:
> the "wbinfo --set-auth-user=" has been replaced with "net setauthuser")
> Both servers access the same LDAP directory for the linux accounts and
> for Samba incl. IDMAPs
> Everything in this guide worked as described.
>
> "getent passwd" and "getent groups" works successfully on both servers
> (shows all entries from LDAP)
> "net rpc group list" shows all groups correctly on the PDC
> "net groupmap list" shows all group mappings correctly on the PDC
>
> On the member server though:
> "net rpc group list" only gives me Administrators and Users
> "net groupmap list" only gives me:
> Administrators (S-1-5-32-544) -> 16777216
> Users (S-1-5-32-545) -> 16777217
>
> I also tried to run winbind on the domain member, domain member+PDC
> and whithout winbind at all (We only have this one domain, do I even
> need winbind then? As I understood it would only be needed if I have
> multiple domains running. Is this correct?)
> But these commands always show me the same output on the member server.
>
> Should this commands even produce more output on domain members? Or is
> it just for PDCs?
>
> smb.confs from both servers are added at the end.
>
> Thanks in advance!
> best regards,
> philipp
>
> PS: some additional info to our "folder sharing system":
> All users only connect to their home-share. Inside this share we add
> symbolic links to the allowed group shares of the user.
> This group share folders are owned by root, group is one of the
> (allowed) Usergroups. Directory mask is 770, group-sticky bit is set.
>
>
> smb.conf from PDC:
>
> [root at srvad1 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> WARNING: The "share modes" option is deprecated
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = ATV
> server string = SRVAD1
> interfaces = 192.168.249.0/24, 127.0.0.1/8
> passdb backend = ldapsam:ldap://192.168.249.7/
> log file = /var/log/samba/%m.log
> max log size = 50
> smb ports = 139
> time server = Yes
> unix extensions = No
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = CUPS
> add user script = /usr/sbin/smbldap-useradd -m
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> logon script = login.bat
> logon path =
> logon drive = U:
> logon home = \\SRVFILE1\%U
> domain logons = Yes
> os level = 65
> preferred master = Auto
> domain master = Yes
> dns proxy = No
> wins support = Yes
> ldap admin dn = cn=Manager,dc=at-visions,dc=com
> ldap delete dn = Yes
> ldap group suffix = ou=Groups,o=default
> ldap machine suffix = ou=Computers,ou=Samba,ou=System
> ldap passwd sync = yes
> ldap suffix = dc=at-visions,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users,o=default
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> cups options = raw
> case sensitive = No
> veto files = /.*/
> hide files = /.*/
> locking = No
> wide links = Yes
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>
> [netlogon]
> path = /home/samba/netlogon
> share modes = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> write list = @adm, root
> guest ok = Yes
>
> smb.conf from domain member:
>
> [root at srvfile1 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
> unix charset = LOCALE
> workgroup = ATV
> server string = SRVFILE1
> interfaces = 192.168.249.0/24, 127.0.0.1/8
> security = DOMAIN
> log level = 4 ads:10 auth:10 sam:10
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 50
> smb ports = 139
> name resolve order = wins bcast hosts
> unix extensions = No
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> os level = 65
> wins server = 192.168.249.1
> ldap admin dn = cn=Manager,dc=at-visions,dc=com
> ldap group suffix = ou=Groups,o=default
> ldap idmap suffix = ou=Idmap,ou=Samba,ou=System
> ldap machine suffix = ou=Computers,ou=Samba,ou=System
> ldap suffix = dc=at-visions,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users,o=default
> case sensitive = No
> veto files = /.*/
> hide files = /.*/
> locking = No
> wide links = Yes
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> create mask = 0660
> force directory mode = 02770
> veto files = /*Maildir*/*.procmail*/*.spam*/*.profile*/.bash*/
> browseable = No
> level2 oplocks = No
>
> Stats from PDC:
> [root at srvad1 samba]# rpm -qa | grep samba
> samba-3.5.10-116.el6_2.x86_64
> samba-common-3.5.10-125.el6.x86_64
> samba-winbind-3.5.10-125.el6.x86_64
> samba-winbind-clients-3.5.10-125.el6.x86_64
> samba-client-3.5.10-125.el6.x86_64
> [root at srvad1 samba]# rpm -qa | grep ldap
> smbldap-tools-0.9.8-1.el6.noarch
> openldap-2.4.23-20.el6.x86_64
> nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
> openldap-clients-2.4.23-20.el6.x86_64
> pam_ldap-185-11.el6.x86_64
> [root at srvad1 samba]# net rpc group list
> Enter root's password:
> Admins
> Default
> Domain Admins
> Domain Users
> IT
> VISIONS
> termuser
> GL
> mailOnly
> Marketing
> FUTURE
> WEB
> Projects
> OMCmonitor
> ATVASIA
> ATVAUSTRIA
> Domain Computers
> TimeSheetReports
> [root at srvad1 samba]# net groupmap list
> Admins (S-1-5-21-3998129111-2374863605-1514640864-3005) -> Admins
> Default (S-1-5-21-3998129111-2374863605-1514640864-3007) -> Default
> Domain Admins (S-1-5-21-3998129111-2374863605-1514640864-512) ->
> Domain Admins
> Domain Users (S-1-5-21-3998129111-2374863605-1514640864-513) -> Domain
> Users
> IT (S-1-5-21-3998129111-2374863605-1514640864-3207) -> IT
> VISIONS (S-1-5-21-3998129111-2374863605-1514640864-3211) -> VISIONS
> termuser (S-1-5-21-3998129111-2374863605-1514640864-3217) -> termuser
> GL (S-1-5-21-3998129111-2374863605-1514640864-3099) -> GL
> mailOnly (S-1-5-21-3998129111-2374863605-1514640864-3125) -> mailOnly
> Marketing (S-1-5-21-3998129111-2374863605-1514640864-3139) -> Marketing
> FUTURE (S-1-5-21-3998129111-2374863605-1514640864-3141) -> FUTURE
> WEB (S-1-5-21-3998129111-2374863605-1514640864-3143) -> WEB
> Projects (S-1-5-21-3998129111-2374863605-1514640864-3145) -> Projects
> OMCmonitor (S-1-5-21-3998129111-2374863605-1514640864-3149) -> OMCmonitor
> ATVASIA (S-1-5-21-3998129111-2374863605-1514640864-3151) -> ATVASIA
> ATVAUSTRIA (S-1-5-21-3998129111-2374863605-1514640864-3153) -> ATVAUSTRIA
> Domain Computers (S-1-5-21-3998129111-2374863605-1514640864-515) ->
> Domain Computers
> TimeSheetReports (S-1-5-21-3998129111-2374863605-1514640864-3159) ->
> TimeSheetReports
>
> Stats from domain member:
> [root at srvfile1 samba]# rpm -qa | grep samba
> samba-3.5.10-116.el6_2.x86_64
> samba-common-3.5.10-116.el6_2.x86_64
> samba-winbind-3.5.10-116.el6_2.x86_64
> samba-winbind-clients-3.5.10-116.el6_2.x86_64
> [root at srvfile1 samba]# rpm -qa | grep ldap
> openldap-2.4.23-20.el6.x86_64
> pam_ldap-185-11.el6.x86_64
> nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
> [root at srvfile1 samba]# net rpc group list
> Enter root's password:
> Administrators
> Users
> [root at srvfile1 samba]# net groupmap list
> Administrators (S-1-5-32-544) -> 16777216
> Users (S-1-5-32-545) -> 16777217
>
>
>
More information about the samba
mailing list