[Samba] Samba PDC group list empty
Harry Jede
walk2sun at arcor.de
Tue Nov 27 06:46:10 MST 2012
Hi Simo,
please post to the list !!!
> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede <walk2sun at arcor.de> wrote:
> > Hi Simo,
> >
> > > Hi this is my listing:
> > >
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> >
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
>
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
>
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > >
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 10000
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> >
> > Your LDAP client WILL list the group members.
> >
> > > Do you know what does this mean?
> >
> > The reason is often "wrong configured" smbldap-tools. Check the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
>
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
>
> So that is correct.
>
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> >
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> >
> > and restart samba.
>
> Tried that, nothing changed.
Post:
net getdomainsid
Do the following steps (enclosed with ###) in order
###
I compared my smb.conf with yours. I have "ldap suffix" before
"ldap group suffix".
ldap suffix = dc=europa,dc=xx
ldap admin dn = cn=admin,dc=europa,dc=xx
ldap group suffix = ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix = ou=machines,ou=accounts
and I have NOT installed winbindd!
###
Check if you have the groups defined in LDAP and in /etc/groups. The
groups should only be in LDAP.
###
check the admin account in ldap:
# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx
Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb
look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}
Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"
Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))" 2>/dev/null
###
at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))" dn
You should get one result.
>
> > > Thanks.
> >
> > --
> >
> > regards
> >
> > Harry Jede
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
--
Gruss
Harry Jede
More information about the samba
mailing list