[Samba] ldapsam_getgroup

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jun 7 18:01:24 MDT 2012 

Well known groups are things like "Domain Administrators" and
"Administrators" -  they always have the same SID or RID (relative ID.)
With an LDAP backend, you may have windbind/idmap automatically allocating
unix group id's so this may be hidden from you.   In my environment I
support linux clients (ssh and nfs) so I still have to manage unix uid's and
gid's.    it means I also have to create unix groups that represented any
windows groups.  

On the unix server, as root in a unix session, can you see the owner, group
and permissions on the files you are creating from windows?    If you run
"pdbedit -Lv somesambauser" you should see the name of the unix account for
that user.    Is there a mismatch?   Can you set file permissions via unix
so that the windows users can see them?     Have you defined any force user,
force group or force mask options on the file share?

 



-----Original Message-----
From: Murthy [mailto:msganti8 at gmail.com] 
Sent: Thursday, June 07, 2012 6:49 PM
To: gaiseric.vandal at gmail.com
Subject: Re: [Samba] ldapsam_getgroup

Hello:

I am not sure what you mean by setup Unix groups and domain mappings for
additional windows "well known groups".

I tried the following experiment. I changed the permissions on the directory
to 777 and mapped it to a share.
I am able to see all the directories in that share directory (i.e all
sub-directories). However, I cannot see any individual files. Same thing
happens if a create new subdirectories. I can see newly created
sub-directories but I cannot see any individual files.

I have been working on this for about 3 days now. I am really frustrated why
things have to to so complicated.

Murthy


On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote:

> You may need to set up unix groups and domain mappings for some 
> additional windows "well known groups"  (google for windows well known
> groups.)
> 
> 
> 
> 
> on my server I can see my group mappings:
> 
> #  net groupmap list
> .....
> Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users 
> Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers 
> (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers
> 
> ....
> Authenticated Users (S-1-5-11) -> Authenticated Users Network 
> (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone ....
> 
> 
> So
> 
> #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx 
> rid="S-1-5-11"
> 
> Or you can update in ldap.
> 
> 
> 
> On 06/07/12 05:56, Cédric Carlen wrote:
>> Hello, hello
>> 
>> I'm writing you this email because when i want to set up a password
policy
>> with LDAP, this one isn't recognize by samba.
>> 
>> In the log i've got this :
>> 
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))
>> 
>> When i look with LdapAdmin, i don't have SID like this. Why ldap check
this
>> SID if they don't exist ?
>> 
>> Thanks for you help
>> 
>> Flake
>> 
>> P.S.: I don't past files, because I don't know which one could help
>> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list