[Samba] Samba PDC group list empty

Andrej Šimko andrej.simko at gmail.com
Fri Nov 23 01:11:04 MST 2012 

Dear samba users,

I have very strange problem. I have Samba PDC up and running, but only
thing is missing. I cannot see any Domain Groups at all.
Here is my config:

Debian Squeeze:
ii  samba                               2:3.5.6~dfsg-3squeeze8
SMB/CIFS file, print, and login server for Unix
ii  samba-common                        2:3.5.6~dfsg-3squeeze8       common
files used by both the Samba server and client
ii  samba-common-bin                    2:3.5.6~dfsg-3squeeze8       common
files used by both the Samba server and client
ii  samba-doc                           2:3.5.6~dfsg-3squeeze8       Samba
documentation

/etc/samba/smb.conf
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = EXAMPLE
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
syslog = 0
time server = Yes
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
delete user script = /usr/sbin/smbldap-userdel %u -r %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=sk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=sk
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes

[homes]
    comment = Home Directories
    valid users = %S
    read only = No
    create mask = 0644
    directory mask = 0700
    browseable = No
    path = /data/samba/homes

[netlogon]
    comment = Network Logon Service
    path = /data/samba/netlogon
    read only = No
    guest ok = Yes
    locking = No
    share modes = No

[profiles]
    comment = Users profiles
    path = /data/samba/profiles
    read only = No
    create mask = 0600
    directory mask = 0700
    hide files = /desktop.ini/
    browseable = No

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
host 127.0.0.1
base dc=example,dc=sk
binddn cn=admin,dc=example,dc=sk
bindpw secret
bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd ou=Users,dc=example,dc=sk
nss_base_shadow ou=Users,dc=example,dc=sk
nss_base_group  ou=Groups,dc=example,dc=sk

net getdomainsid
SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

net groupmap list
Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
Admins
Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) -> Domain Users
Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
Guests
Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators


The strange thing is, if I try on Win XP to search groups, i see in logs:
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-32*))],scope
=> [2], pagesize => [1024]

If I try to search in ldap with that filter, I always get zero matches.

I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is
empty. If I try getent passwd and getent group I see all my users and
groups.
Can somebody help me with this?

Thank you!

More information about the samba mailing list