[Samba] ldapsam_getgroup
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri Jun 8 07:15:38 MDT 2012
Is this machine configured as a PDC?
I partially misread your earlier e-mail- I missed that you had typed
"pdbedit -Lv Test" rather than "pdbedit -Lv."
What does "getent passwd Test" show? I would guess it will show that
Test has a primary group of "39901." I would guess that group "39901"
does not exist OR is in a part of the ldap tree that samba does not
search for groups. You could have samba configured (in smb.conf) to
create idmap entries in "ou=idmap,dc=mydomain,dc=com" while your "ldap
group suffix" points to "ou=groups,dc=mydomain,dc=com."
you may want to explicitly set your user's primary group to a group you
know is valid. If my setup, users have a primary group called, for
example, "research." The research group is defined in ldap as both a
unix group and windows group. It has a SID so that "net groupmap list"
will show it as a valid mapping. I have a lot of ldap groups - they
don't all need to be defined as samba (windows) groups but any groups
that are either "well known windows" groups or primary user groups are.
On 06/08/12 08:18, Cédric Carlen wrote:
> The wbinfo commande doesn't work in my server ^^,
>
> but when i tape pdbedit -Lv | more, i've got :
>
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAINTEST))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> The LDAP server is successfully connected
> smbldap_search_paged: base => [dc=my,dc=test], filter =>
> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pag
> esize => [1024]
> smbldap_search_paged: search was successful
> init_sam_from_ldap: Entry found for user: root
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> init_sam_from_ldap: Entry found for user: nobody
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=65534))
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=65534))
> init_sam_from_ldap: Entry found for user: kimdotcom
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> init_sam_from_ldap: Entry found for user: Test
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=39901))
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=39901))
> init_sam_from_ldap: Entry found for user: test1
> init_group_from_ldap: Entry found for group: 513
>
>
> 2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com
> <mailto:gaiseric.vandal at gmail.com>>
>
> That looks good. Not all well known groups need to be mapped.
> Domain Admins is one of the groups that needs to be. I would
> add mappings for “Authenticated Users” and some of the other ones
> just to rule them out as causing problems, although I don’t really
> think is the issue. I don’t make heavy use of group policies but
> I do see that “authenticated users” appear in some policies.
>
>
>
> Group “33901” has such a high GID- is it allocated by Winbind or
> IDMAP. Can you post your sanitized idmap and group sections of
> smb.conf
>
>
>
> On my machine (Samba 3.5.x PDC, winbind/idmap not used for users
> or groups in the domain)
>
>
>
> # pdbedit -Lv | more
>
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_DOMAIN_NAME))]
>
> smbldap_open_connection: connection opened
>
> ldap_connect_system: successful connection to the LDAP server
>
>
>
>
>
> My guess is that your system has allocated group 33901 as your
> default samba user group or some critical well known windows
> group. Maybe idmap created the group in one section of the
> ldap tree (or in a local TDB file ) but the main samba process
> does not search for groups. What does the following show?
>
>
>
> #wbinfo –g
>
> #wbinfo --gid-info=33901
>
>
>
> You can also use wbinfo to lookup the gid from sid or vice versa.
> Or you can browse the idmap created groups with an ldap editor.
>
>
>
>
>
> *From:*Cédric Carlen [mailto:carlen.cedric at gmail.com
> <mailto:carlen.cedric at gmail.com>]
> *Sent:* Friday, June 08, 2012 3:25 AM
>
>
> *To:* gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>
> *Subject:* Re: [Samba] ldapsam_getgroup
>
>
>
> The net groupmap list give me :
>
>
>
> Domain Admins (S-1-5-21-2027065376-1956064403-1110974320-512) ->
> Domain Admins
>
> Domain Users (S-1-5-21-2027065376-1956064403-1110974320-513) ->
> Domain Users
>
> Domain Guests (S-1-5-21-2027065376-1956064403-1110974320-514) ->
> Domain Guests
>
> Domain Computers (S-1-5-21-2027065376-1956064403-1110974320-515)
> -> Domain Computers
>
> Administrators (S-1-5-32-544) -> Administrators
>
> Account Operators (S-1-5-32-548) -> Account Operators
>
> Print Operators (S-1-5-32-550) -> Print Operators
>
> Backup Operators (S-1-5-32-551) -> Backup Operators
>
> Replicators (S-1-5-32-552) -> Replicators
>
>
>
>
>
> 2012/6/8 Cédric Carlen <carlen.cedric at gmail.com
> <mailto:carlen.cedric at gmail.com>>
>
> Hi,
>
>
>
> When I make pdbedit -Lv Test there is a problem :
>
>
>
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=39901))
>
> ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=39901))
>
> ldapsam_getsampwsid: Unable to locate SID
> [S-1-5-21-2027065376-1956064403-1110974320-513] count=0
>
>
>
> I have the SID S-1-5-21-2027065376-1956064403-1110974320-513, but
> not the gidNumver 39901 in my base.
>
>
>
> Do you think that it could be the fact that samba doesn't
> recognize the password policy of LDAP ???
>
>
>
> Cédric
>
>
>
>
>
> 2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com
> <mailto:gaiseric.vandal at gmail.com>>
>
> Well known groups are things like "Domain Administrators" and
> "Administrators" - they always have the same SID or RID (relative
> ID.)
> With an LDAP backend, you may have windbind/idmap automatically
> allocating
> unix group id's so this may be hidden from you. In my environment I
> support linux clients (ssh and nfs) so I still have to manage unix
> uid's and
> gid's. it means I also have to create unix groups that
> represented any
> windows groups.
>
> On the unix server, as root in a unix session, can you see the
> owner, group
> and permissions on the files you are creating from windows? If
> you run
> "pdbedit -Lv somesambauser" you should see the name of the unix
> account for
> that user. Is there a mismatch? Can you set file permissions
> via unix
> so that the windows users can see them? Have you defined any
> force user,
> force group or force mask options on the file share?
>
>
>
>
>
> -----Original Message-----
> From: Murthy [mailto:msganti8 at gmail.com <mailto:msganti8 at gmail.com>]
> Sent: Thursday, June 07, 2012 6:49 PM
> To: gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>
> Subject: Re: [Samba] ldapsam_getgroup
>
> Hello:
>
> I am not sure what you mean by setup Unix groups and domain
> mappings for
> additional windows "well known groups".
>
> I tried the following experiment. I changed the permissions on the
> directory
> to 777 and mapped it to a share.
> I am able to see all the directories in that share directory (i.e all
> sub-directories). However, I cannot see any individual files. Same
> thing
> happens if a create new subdirectories. I can see newly created
> sub-directories but I cannot see any individual files.
>
> I have been working on this for about 3 days now. I am really
> frustrated why
> things have to to so complicated.
>
> Murthy
>
>
>
> On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote:
>
> > You may need to set up unix groups and domain mappings for some
> > additional windows "well known groups" (google for windows well
> known
> > groups.)
> >
> >
> >
> >
> > on my server I can see my group mappings:
> >
> > # net groupmap list
> > .....
> > Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users
> > Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers
> > (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers
> >
> > ....
> > Authenticated Users (S-1-5-11) -> Authenticated Users Network
> > (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone ....
> >
> >
> > So
> >
> > #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx
> > rid="S-1-5-11"
> >
> > Or you can update in ldap.
> >
> >
> >
> > On 06/07/12 05:56, Cédric Carlen wrote:
> >> Hello, hello
> >>
> >> I'm writing you this email because when i want to set up a password
> policy
> >> with LDAP, this one isn't recognize by samba.
> >>
> >> In the log i've got this :
> >>
> >> ldapsam_getgroup: Did not find group, filter was
> >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
> >> ldapsam_getgroup: Did not find group, filter was
> >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))
> >> ldapsam_getgroup: Did not find group, filter was
> >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))
> >>
> >> When i look with LdapAdmin, i don't have SID like this. Why
> ldap check
> this
> >> SID if they don't exist ?
> >>
> >> Thanks for you help
> >>
> >> Flake
> >>
> >> P.S.: I don't past files, because I don't know which one could help
> >>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
> --
> Cédric CARLEN
> Élève-ingénieur à TELECOM Lille 1
> Promotion FI15
> ☎06.59.42.81.55
>
>
>
>
>
> --
> Cédric CARLEN
> Élève-ingénieur à TELECOM Lille 1
> Promotion FI15
> ☎06.59.42.81.55
>
>
>
>
> --
> Cédric CARLEN
> Élève-ingénieur à TELECOM Lille 1
> Promotion FI15
> ☎ 06.59.42.81.55
>
More information about the samba
mailing list