[Samba] Samba PDC group list empty

Harry Jede walk2sun at arcor.de
Tue Nov 27 06:46:10 MST 2012 

Hi Simo,
please post to the list !!!

> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede <walk2sun at arcor.de> wrote:
> > Hi Simo,
> > 
> > > Hi this is my listing:
> > > 
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> > 
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
> 
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
> 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > > 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 10000
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> > 
> > Your LDAP client WILL list the group members.
> > 
> > > Do you know what does this mean?
> > 
> > The reason is often "wrong configured" smbldap-tools. Check the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> 
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
> 
> So that is correct.
> 
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> > 
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> > 
> > and restart samba.
> 
> Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

        ldap suffix          = dc=europa,dc=xx
        ldap admin dn        = cn=admin,dc=europa,dc=xx
        ldap group suffix    = ou=groups
        ldap user suffix     = ou=people,ou=accounts
        ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}



Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword 
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))"  dn



You should get one result.
> 
> > > Thanks.
> > 
> > --
> > 
> > regards
> > 
> >         Harry Jede
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
	Harry Jede

More information about the samba mailing list