[Samba] Samba PDC group list empty

Andrej Šimko andrej.simko at gmail.com
Thu Nov 29 10:30:24 MST 2012 

Hello again,

I do not know what

On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede <walk2sun at arcor.de> wrote:

> On 20:15:56 wrote Andrej Šimko:
> > net getdomainsid
> > SID for local machine HOST is:
> > S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> > S-1-5-21-2390795950-2727105968-4008069955
> >
> > I compared my smb.conf with yours. I have "ldap suffix" before
> >  "ldap group suffix".
> >
> > I switched that but result still the same.
> >
> >  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> > dn: cn=admin,dc=example,dc=sk
> >
> > tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> >
> > ldapsearch -LLLY external -H ldapi:///
> > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> > =users)))" 2>/dev/null
> > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > objectClass: sambaSidEntry
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-32-545
> > sambaGroupType: 4
> > displayName: Users
> > gidNumber: 10000
> > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
>
> Sorry, that I haven't seen this in your mail at 09:07
>
> This is a working group object:
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
> (uid=users)))"  2>/dev/null
> dn: cn=users,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 545
> cn: users
> description: Netbios Domain Users
> sambaSID: S-1-5-32-545
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
> sambaGroupType: 4
> displayName: Users
>
>
> The main difference ist the objectclass posixGroup instead of
> sambaSidEntry.
> Samba Group Mapping is not a simple task. Your definition with
> objectclass=sambasidentry is not totally wrong, but the intended use is
> that you store your posixgroups in /etc/group or in NIS.
> With an LDAP backend that is not the best approach.
>
>
I dont understand what are you trying to say :(
Do you think that if I have all necessary groups in /etc/group or in NIS,
than the windows computer will find grups in domain?


I still dont understand why ldap search filter generated by samba ( i have
this from samba log ) cannot find anything in database:
  smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
[2012/11/29 18:15:14.227560,  3] lib/smbldap.c:1591(smbldap_search_paged)
  smbldap_search_paged: search was successful
[2012/11/29 18:15:14.227647,  3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
  free_pipe_context: destroying talloc pool of size 0

If I remove sambaSID and try to find it in ldap, I will get all my groups.
Filter = (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))

Is this normal behavior or my ldap configuration can be incorrect?





> Here the three standard definitions with objectclass=posixgroup
>
> ###
> A primary group: posix and windows primary
> members should NOT stored here
>
> dn: cn=teachers,ou=groups,dc=europa,dc=xx
> cn: teachers
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 1001
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
> sambaGroupType: 2
> displayName: teachers
>
> # getent group teachers
> teachers:*:1001:
>
> # net  rpc group members teachers
> # <nothing>
>
>
>
> ###
> A regular group in posix, a global group in windows
> members are stored in memberUid
>
> dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: DomainAdmins
> memberUid: Administrator
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> # getent group domainadmins
> DomainAdmins:*:512:Administrator,root
>
>
> # Asking for the Windows name, which is stored in "displayName"
> # net rpc group members "domain admins"
> EUROPA\Administrator
> EUROPA\root
>
> # Asking for the posix name, which is stored in "cn"
> # net rpc group members domainadmins
> EUROPA\Administrator
> EUROPA\root
>
>
> ###
> A windows/samba builtin group
> no posix members
> Windows members must be stored in sambaSIDList. These type of groups
> will be used in Windows OS (client and/or server)
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
> dn: cn=Administrators,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the computer
> sambaSID: S-1-5-32-544
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 4
> displayName: Administrators
>
>
> # getent group administrators
> Administrators:*:544:
>
> # net rpc group members administrators
> EUROPA\Domain Admins
>
> ###
> --
>
> Gruss
>         Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list