[Samba] nested groups on samba 3.6 server broken
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Jul 29 14:32:22 MDT 2014
I am running a Samba 3.6.20 for my primary domain controller (+ main
file server) and my back up domain controller. Each domain controller
has an LDAP backend- the LDAP servers configured for multimaster
replication.
I have domain trusts established with a Windows 2003 AD domain
("WINDOMAIN") . I have enabled nested groups in smb.conf. Winbind
is enabled to support domain trusts. It isn't need to for users in the
local samba domain ("SAMBADOMAIN") since the LDAP backend stores unix
uid's and gid's as well as samba user SID's.
I had a shared directory on the primary server that I wanted to make for
easily accessible to members from the trusted Win 2003 domain.
Domain trusts worked, and the trusted users had access to the parent
directory . But the problem was that every time someone in samba
domain created a few new file in the directory, the trusted users did
not automatically have access. The new file would inherit the
primary group for the file from the parent directory, but none of the
ACE's for the trusted domain users. Who ever create the new file could
add the trusted domain users to that file's ACL but they usually forgot to.
The shared directory is owned by "projectX" group. Originally the
directory was a domain group for the samba domain. In the example
below, the users thomas , richard and harold are members of the samba
domain.
e.g.
version: 1
dn: cn=projectx,ou=group,o=mydomain.com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
cn: staff_planning
gidNumber: 123
sambaGroupType: 2
sambaSID: S-1-5-21-111111-222222-333333-10123
description: projectx
displayName: projectx
memberUid: thomas
memberUid: richard
memberUid: harold
entrydn: cn=projectx,ou=group,o=mydomain.com
I wanted to be able to add users from the trusted domain to this
group. Adding a "WINDOMAIN\user" as a memberUid was not sufficient.
So I changed the group to a local "local" (aka "nested" group) -
basically by changing the group type from 2 to 4. I could then use the
net command to add users from the trusted domain
e.g
net rpc group addmem projectX "WINDOMAIN\peter " -U
"SAMBADOMAIN\Administrator"
This would add the sambasidlist attribute to the LDAP entry.
e.g.
version: 1
dn: cn=projectx,ou=group,o=mydomain.com
objectClass: sambaGroupMapping
objectClass: posixGroup
objectClass: top
cn: staff_planning
gidNumber: 123
sambaGroupType: 4
sambaSID: S-1-5-21-111111-222222-333333-10123
description: projectX
displayName: projectX
memberUid: thomas
memberUid: richard
memberUid: harold
entrydn: cn=projectx,ou=group,o=mydomain.com
sambasidlist: S-1-5-21-88888-99999-00000-10001
sambasidlist: S-1-5-21-88888-99999-00000-10002
sambasidlist: S-1-5-21-88888-99999-00000-10003
I can also add users and groups from the samba domain to the group with
the net command, but there isn't much benefit to this.
I can verify the members with "net rpc group members projectX."
This worked fine for maybe 6 months. Last week (maybe 2 weeks ago)
users from the trusted domain reported that this no longer worked. (If
they explicitly have permissions to the file, then they have access but
the group membership functionality no longer works.)
The "net rpc user info" command only works for local users- but that
had always been the ase.
E.g.
# net rpc user info thomas -U Administrator
Enter Administrator's password:
Domain Users
projectX
# net rpc user info "SAMBADOMAIN\thomas" -U Administrator
Failed to get groups for 'SAMBADOMAIN\thomas' with error: Could not map
names to SIDs.
# net rpc user info "WINDOMAIN\peter " -U Administrator
Failed to get groups for 'WINDOMAIN\peter' with error: Could not map
names to SIDs.
A few months ago I updated from Samba 3.5.x to Samba 3.6.20. I do not
think this corresponds to the nested groups breaking, since the problem
was not reported until months later.
The "net rpc group delmem" also no longer works, tho this may be
related to the samba upgrade. I can still delete sambasidlist entries
with ldap tools.
wbinfo shows that the user id's, sids and names are all consistent for
trusted users. The getent and id commands work with trusted users. I
can make a trusted user the owner of a file.
Samba logs show the trusted users being denied access to the files, so
it seems clear that the group membership is just not being recognized.
Any help is appreciated.
Thanks
More information about the samba
mailing list