[Samba] ldapsam_getgroup

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jun 8 04:38:56 MDT 2012


That looks good.    Not all well known groups need to be mapped.   Domain Admins is one of the groups that needs to be.     I would add mappings for “Authenticated Users” and some of the other ones just to rule them out as causing problems, although I don’t really think is the issue.   I don’t make heavy use of group policies but I do see that “authenticated users” appear in some policies.

 

Group “33901” has such a high GID-  is it allocated by Winbind or IDMAP.   Can you post your sanitized  idmap  and group sections of smb.conf  

 

On my machine (Samba 3.5.x PDC, winbind/idmap not used for users or groups in the domain) 

 

# pdbedit -Lv | more

smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_DOMAIN_NAME))]

smbldap_open_connection: connection opened

ldap_connect_system: successful connection to the LDAP server

 

 

My guess is that your system has allocated group 33901 as your default samba user group or some critical well known windows group.     Maybe idmap created the group in one section of the ldap tree (or in a local TDB file ) but the main samba process does not search for groups.  What does the following show?

                

                #wbinfo –g 

#wbinfo --gid-info=33901

 

You can also use wbinfo to lookup the gid from sid or vice versa.   Or you can browse the idmap created groups with an ldap editor.    

 

 

From: Cédric Carlen [mailto:carlen.cedric at gmail.com] 
Sent: Friday, June 08, 2012 3:25 AM
To: gaiseric.vandal at gmail.com
Subject: Re: [Samba] ldapsam_getgroup

 

The net groupmap list give me :

 

Domain Admins (S-1-5-21-2027065376-1956064403-1110974320-512) -> Domain Admins

Domain Users (S-1-5-21-2027065376-1956064403-1110974320-513) -> Domain Users

Domain Guests (S-1-5-21-2027065376-1956064403-1110974320-514) -> Domain Guests

Domain Computers (S-1-5-21-2027065376-1956064403-1110974320-515) -> Domain Computers

Administrators (S-1-5-32-544) -> Administrators

Account Operators (S-1-5-32-548) -> Account Operators

Print Operators (S-1-5-32-550) -> Print Operators

Backup Operators (S-1-5-32-551) -> Backup Operators

Replicators (S-1-5-32-552) -> Replicators

 

 

2012/6/8 Cédric Carlen <carlen.cedric at gmail.com>

Hi,

 

When I make pdbedit -Lv Test there is a problem :

 

ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=39901))

ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=39901))

ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-2027065376-1956064403-1110974320-513] count=0

 

I have the SID S-1-5-21-2027065376-1956064403-1110974320-513, but not the gidNumver 39901 in my base.

 

Do you think that it could be the fact that samba doesn't recognize the password policy of LDAP ???

 

Cédric

 

 

2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com>

Well known groups are things like "Domain Administrators" and
"Administrators" -  they always have the same SID or RID (relative ID.)
With an LDAP backend, you may have windbind/idmap automatically allocating
unix group id's so this may be hidden from you.   In my environment I
support linux clients (ssh and nfs) so I still have to manage unix uid's and
gid's.    it means I also have to create unix groups that represented any
windows groups.

On the unix server, as root in a unix session, can you see the owner, group
and permissions on the files you are creating from windows?    If you run
"pdbedit -Lv somesambauser" you should see the name of the unix account for
that user.    Is there a mismatch?   Can you set file permissions via unix
so that the windows users can see them?     Have you defined any force user,
force group or force mask options on the file share?





-----Original Message-----
From: Murthy [mailto:msganti8 at gmail.com]
Sent: Thursday, June 07, 2012 6:49 PM
To: gaiseric.vandal at gmail.com
Subject: Re: [Samba] ldapsam_getgroup

Hello:

I am not sure what you mean by setup Unix groups and domain mappings for
additional windows "well known groups".

I tried the following experiment. I changed the permissions on the directory
to 777 and mapped it to a share.
I am able to see all the directories in that share directory (i.e all
sub-directories). However, I cannot see any individual files. Same thing
happens if a create new subdirectories. I can see newly created
sub-directories but I cannot see any individual files.

I have been working on this for about 3 days now. I am really frustrated why
things have to to so complicated.

Murthy



On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote:

> You may need to set up unix groups and domain mappings for some
> additional windows "well known groups"  (google for windows well known
> groups.)
>
>
>
>
> on my server I can see my group mappings:
>
> #  net groupmap list
> .....
> Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users
> Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers
> (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers
>
> ....
> Authenticated Users (S-1-5-11) -> Authenticated Users Network
> (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone ....
>
>
> So
>
> #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx
> rid="S-1-5-11"
>
> Or you can update in ldap.
>
>
>
> On 06/07/12 05:56, Cédric Carlen wrote:
>> Hello, hello
>>
>> I'm writing you this email because when i want to set up a password
policy
>> with LDAP, this one isn't recognize by samba.
>>
>> In the log i've got this :
>>
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))
>>  ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))
>>
>> When i look with LdapAdmin, i don't have SID like this. Why ldap check
this
>> SID if they don't exist ?
>>
>> Thanks for you help
>>
>> Flake
>>
>> P.S.: I don't past files, because I don't know which one could help
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





 

-- 
Cédric CARLEN
Élève-ingénieur à TELECOM Lille 1
Promotion FI15
☎ 06.59.42.81.55





 

-- 
Cédric CARLEN
Élève-ingénieur à TELECOM Lille 1
Promotion FI15
☎ 06.59.42.81.55



More information about the samba mailing list