[Samba] Cannot add user to group in Samba AD DC

Андрей Черепанов cas at altlinux.ru
Wed Oct 15 06:16:31 MDT 2014 

15.10.2014 14:46, Rowland Penny пишет:
> On 15/10/14 11:17, Андрей Черепанов wrote:
>> 15.10.2014 14:09, Rowland Penny пишет:
>>> On 15/10/14 10:21, Андрей Черепанов wrote:
>>>> I create domain in Samba AD DC and add user 'cas' and group 'aaa':
>>>>
>>>>    # samba-tool user list | grep cas
>>>>    cas
>>>>    # samba-tool group list | grep aaa
>>>>    aaa
>>>>
>>>> Now I try to add user 'cas' to group 'aaa':
>>>>
>>>>    # samba-tool group addmembers aaa cas -Uadministrator
>>>>    Added members to group aaa
>>>>
>>>> But listmembers does not show this user in group:
>>>>
>>>>    # samba-tool group listmembers aaa -Uadministrator
>>>>    #
>>>>
>>>> There is no memberOf fields in sam.ldb for user 'cas':
>>>>    # LDB_MODULES_PATH=/usr/lib64/samba/ldb ldbsearch \
>>>>    > -H /var/lib/samba/private/sam.ldb '(cn=cas)' \
>>>>    > memberOf | grep ^memberOf
>>>>    #
>>>>
>>>> What's wrong?
>>>>
>>> Hi, it should work, try:
>>>
>>> ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=cas)'
>>>
>>> This should show the users AD entry, does it have the 'memberOf'
>>> attribute ?
>> No.
>>
>> # LDB_MODULES_PATH=/usr/lib64/samba/ldb ldbsearch -H
>> /var/lib/samba/private/sam.ldb '(sAMAccountName=cas)'
>> # record 1
>> dn: CN=cas,CN=Users,DC=school,DC=alt
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: cas
>> instanceType: 4
>> whenCreated: 20140930065140.0Z
>> uSNCreated: 3714
>> name: cas
>> objectGUID: 95126dff-3c57-45bd-8248-c97f921e21d4
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-80639820-2350372464-3293631772-1103
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: cas
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=school,DC=alt
>> userAccountControl: 512
>> pwdLastSet: 130570705490000000
>> whenChanged: 20141006120229.0Z
>> uSNChanged: 3747
>> email: cas at altlinux.ru
>> distinguishedName: CN=cas,CN=Users,DC=school,DC=alt
>>
>> # Referral
>> ref: ldap://school.alt/CN=Configuration,DC=school,DC=alt
>>
>> # Referral
>> ref: ldap://school.alt/DC=DomainDnsZones,DC=school,DC=alt
>>
>> # Referral
>> ref: ldap://school.alt/DC=ForestDnsZones,DC=school,DC=alt
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>>
>> I have registered computer with name CAS and little change query to show
>> only user record.
> 
> Does the above mean that you have a computer named 'CAS' ???
Yes.

>> If I run addmembers with -d 16, I got:
>> ...
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Security token SIDs (1):
>>    SID[  0]: S-1-5-18
>>   Privileges (0xFFFFFFFFFFFFFFFF):
>> ...
>>   Rights (0x               0):
>> lpcfg_servicenumber: couldn't find ldb
>> schema_fsmo_init: we are master[yes] updates allowed[no]
>> ...
>> schema_fsmo_init: we are master[yes] updates allowed[no]
>> Added members to group aaa
>>
>> (some text is skipped)
>>
> There is a bug report: https://bugzilla.samba.org/show_bug.cgi?id=10871
> about this problem, samba-tool reports that the user has been added to a
> group, even if it hasn't been.
Thanks for link. I try to package samba with this patch.

-- 
Andrey Cherepanov
ALT Linux
cas at altlinux.ru

More information about the samba mailing list