[Samba] Cannot add user to group in Samba AD DC

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 15 04:46:06 MDT 2014


On 15/10/14 11:17, Андрей Черепанов wrote:
> 15.10.2014 14:09, Rowland Penny пишет:
>> On 15/10/14 10:21, Андрей Черепанов wrote:
>>> I create domain in Samba AD DC and add user 'cas' and group 'aaa':
>>>
>>>    # samba-tool user list | grep cas
>>>    cas
>>>    # samba-tool group list | grep aaa
>>>    aaa
>>>
>>> Now I try to add user 'cas' to group 'aaa':
>>>
>>>    # samba-tool group addmembers aaa cas -Uadministrator
>>>    Added members to group aaa
>>>
>>> But listmembers does not show this user in group:
>>>
>>>    # samba-tool group listmembers aaa -Uadministrator
>>>    #
>>>
>>> There is no memberOf fields in sam.ldb for user 'cas':
>>>    # LDB_MODULES_PATH=/usr/lib64/samba/ldb ldbsearch \
>>>    > -H /var/lib/samba/private/sam.ldb '(cn=cas)' \
>>>    > memberOf | grep ^memberOf
>>>    #
>>>
>>> What's wrong?
>>>
>> Hi, it should work, try:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=cas)'
>>
>> This should show the users AD entry, does it have the 'memberOf'
>> attribute ?
> No.
>
> # LDB_MODULES_PATH=/usr/lib64/samba/ldb ldbsearch -H
> /var/lib/samba/private/sam.ldb '(sAMAccountName=cas)'
> # record 1
> dn: CN=cas,CN=Users,DC=school,DC=alt
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: cas
> instanceType: 4
> whenCreated: 20140930065140.0Z
> uSNCreated: 3714
> name: cas
> objectGUID: 95126dff-3c57-45bd-8248-c97f921e21d4
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-80639820-2350372464-3293631772-1103
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: cas
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=school,DC=alt
> userAccountControl: 512
> pwdLastSet: 130570705490000000
> whenChanged: 20141006120229.0Z
> uSNChanged: 3747
> email: cas at altlinux.ru
> distinguishedName: CN=cas,CN=Users,DC=school,DC=alt
>
> # Referral
> ref: ldap://school.alt/CN=Configuration,DC=school,DC=alt
>
> # Referral
> ref: ldap://school.alt/DC=DomainDnsZones,DC=school,DC=alt
>
> # Referral
> ref: ldap://school.alt/DC=ForestDnsZones,DC=school,DC=alt
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> I have registered computer with name CAS and little change query to show
> only user record.

Does the above mean that you have a computer named 'CAS' ???

> If I run addmembers with -d 16, I got:
> ...
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
> ...
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[yes] updates allowed[no]
> ...
> schema_fsmo_init: we are master[yes] updates allowed[no]
> Added members to group aaa
>
> (some text is skipped)
>
There is a bug report: https://bugzilla.samba.org/show_bug.cgi?id=10871 
about this problem, samba-tool reports that the user has been added to a 
group, even if it hasn't been.

Rowland


More information about the samba mailing list