[Samba] Samba PDC group list empty

Harry Jede walk2sun at arcor.de
Tue Nov 27 13:08:32 MST 2012 

On 20:15:56 wrote Andrej Šimko:
> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> I compared my smb.conf with yours. I have "ldap suffix" before
>  "ldap group suffix".
> 
> I switched that but result still the same.
> 
>  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> dn: cn=admin,dc=example,dc=sk
> 
> tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> 
> ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> =users)))" 2>/dev/null
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

Sorry, that I haven't seen this in your mail at 09:07

This is a working group object:

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null
dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users


The main difference ist the objectclass posixGroup instead of 
sambaSidEntry.
Samba Group Mapping is not a simple task. Your definition with 
objectclass=sambasidentry is not totally wrong, but the intended use is 
that you store your posixgroups in /etc/group or in NIS.
With an LDAP backend that is not the best approach.

Here the three standard definitions with objectclass=posixgroup

###
A primary group: posix and windows primary
members should NOT stored here

dn: cn=teachers,ou=groups,dc=europa,dc=xx
cn: teachers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
sambaGroupType: 2
displayName: teachers

# getent group teachers
teachers:*:1001:

# net  rpc group members teachers
# <nothing>



###
A regular group in posix, a global group in windows
members are stored in memberUid

dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: DomainAdmins
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 2
displayName: Domain Admins

# getent group domainadmins
DomainAdmins:*:512:Administrator,root


# Asking for the Windows name, which is stored in "displayName"
# net rpc group members "domain admins"
EUROPA\Administrator
EUROPA\root

# Asking for the posix name, which is stored in "cn"
# net rpc group members domainadmins
EUROPA\Administrator
EUROPA\root


###
A windows/samba builtin group
no posix members
Windows members must be stored in sambaSIDList. These type of groups 
will be used in Windows OS (client and/or server)

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators


# getent group administrators
Administrators:*:544:

# net rpc group members administrators
EUROPA\Domain Admins

###
-- 

Gruss
	Harry Jede

More information about the samba mailing list