[Samba] Samba PDC group list empty
Andrej Šimko
andrej.simko at gmail.com
Fri Nov 23 01:11:04 MST 2012
Dear samba users,
I have very strange problem. I have Samba PDC up and running, but only
thing is missing. I cannot see any Domain Groups at all.
Here is my config:
Debian Squeeze:
ii samba 2:3.5.6~dfsg-3squeeze8
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:3.5.6~dfsg-3squeeze8 common
files used by both the Samba server and client
ii samba-common-bin 2:3.5.6~dfsg-3squeeze8 common
files used by both the Samba server and client
ii samba-doc 2:3.5.6~dfsg-3squeeze8 Samba
documentation
/etc/samba/smb.conf
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = EXAMPLE
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
syslog = 0
time server = Yes
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
delete user script = /usr/sbin/smbldap-userdel %u -r %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=sk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=sk
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0700
browseable = No
path = /data/samba/homes
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
read only = No
guest ok = Yes
locking = No
share modes = No
[profiles]
comment = Users profiles
path = /data/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
hide files = /desktop.ini/
browseable = No
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
host 127.0.0.1
base dc=example,dc=sk
binddn cn=admin,dc=example,dc=sk
bindpw secret
bind_policy soft
pam_password exop
timelimit 15
nss_base_passwd ou=Users,dc=example,dc=sk
nss_base_shadow ou=Users,dc=example,dc=sk
nss_base_group ou=Groups,dc=example,dc=sk
net getdomainsid
SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
net groupmap list
Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
Admins
Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) -> Domain Users
Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
Guests
Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
The strange thing is, if I try on Win XP to search groups, i see in logs:
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-32*))],scope
=> [2], pagesize => [1024]
If I try to search in ldap with that filter, I always get zero matches.
I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is
empty. If I try getent passwd and getent group I see all my users and
groups.
Can somebody help me with this?
Thank you!
More information about the samba
mailing list