samba - Apr 2003 - smbgroupedit & ldapsam backend with samba 3.0a23

Hi!

Has anyone got the group mapping feature of samba 3.0 working with ldapsam?

I am not able to to add any groups to the group mapping table. The 
following works with the tdbsam backend:

-------------------------------------------------------------------
[root@tokyo root]# smbgroupedit -a mitarbeiter -td
[root@tokyo root]# smbgroupedit -v
NT group (SID) -> Unix group
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Admins (S-1-5-21-341274446-1685656727-1244863647-512) -> -1
Domain Guests (S-1-5-21-341274446-1685656727-1244863647-514) -> -1
Print Operators (S-1-5-32-550) -> -1
Domain Users (S-1-5-21-341274446-1685656727-1244863647-513) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
mitarbeiter (S-1-5-21-341274446-1685656727-1244863647-12857) -> mitarbeiter
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
[root@tokyo root]#
-------------------------------------------------------------------

If I use the ldapsam backend it looks like this:

-------------------------------------------------------------------
[root@tokyo root]# smbgroupedit -a mitarbeiter -td
[root@tokyo root]# smbgroupedit -v
NT group (SID) -> Unix group
[root@tokyo root]#
-------------------------------------------------------------------

Note that sambaAccounts work perfectly with the ldapsam backend.

I am using this on a RedHat 9 Box.

My smb.conf looks like this:


-------------------------------------------------------------------
[global]
         unix charset = CP850
         workgroup = ABTEILUNG-IV
         server string = PDC ABTEILUNG-IV
         smb passwd file = /etc/samba/smbpasswd
         algorithmic rid base = 10000
         username map = /usr/local/samba/lib/smbusers
         log file = /usr/local/samba/var/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         add machine script = /usr/sbin/useradd -g rechner -d /dev/null 
-s /bin/false %u
         logon script = logon.bat
         logon path          logon drive = h:
         logon home = \\%N\user\%U
         domain logons = Yes
         os level = 99
         preferred master = Yes
         domain master = Yes
         dns proxy = No
         wins support = Yes
         ldap port = 389
         ldap suffix = o=smb,dc=bonn,dc=edu
         ldap machine suffix = ou=Computers,o=smb,dc=bonn,dc=edu
         ldap user suffix = ou=Users,o=smb,dc=bonn,dc=edu
         ldap admin dn = "cn=root,o=smb,dc=bonn,dc=edu"
         ldap ssl = no
         ldap delete dn = Yes
         hosts allow = 131.220.6.0/255.255.255.0, 
131.220.242.96/255.255.255.224
-------------------------------------------------------------------

Any ideas on this would be greatly appreciated!


Bye,

Christoph

On Wed, 2003-04-16 at 07:49, Christoph Scholz wrote:
> Hi!
> 
> Has anyone got the group mapping feature of samba 3.0 working with ldapsam?
> 
yes  - did you run the import script and include the new samba.schema as
listed in the release notes for a23?

brad
-- 
Bradley W. Langhorst <brad@langhorst.com>

Bradley W. Langhorst wrote:
> On Wed, 2003-04-16 at 07:49, Christoph Scholz wrote:
> 
>>Hi!
>>
>>Has anyone got the group mapping feature of samba 3.0 working with
ldapsam?
>>
> 
> yes  - did you run the import script and include the new samba.schema as
> listed in the release notes for a23?
Yes. But the import script unfortunately does not seem to work:

-------------------------------------------------------------------------------
[root@tokyo root]# pdbedit -i tdbsam -e ldapsam -g
[root@tokyo root]# smbgroupedit -v
NT group (SID) -> Unix group
[root@tokyo root]#
-------------------------------------------------------------------------------

I get a lot of error messages like the following if I run "pdbedit -d2 
-i tdbsam -e ldapsam -g":

-------------------------------------------------------------------------------
ldapsam_search_one_group: searching 
for:[(&(objectClass=sambaGroupMapping)(gidNumber=-1))]
ldapsam_search_one_group: searching 
for:[(&(objectClass=posixGroup)(gidNumber=-1))]
Group -1 must exist exactly once in LDAP
-------------------------------------------------------------------------------



Christoph

On Wed, 2003-04-16 at 08:17, Christoph Scholz wrote:
> Yes. But the import script unfortunately does not seem to work:
> 
not enough detail...
did you restart slapd after updating samba.schema?


brad

Bradley W. Langhorst wrote:
> On Wed, 2003-04-16 at 08:17, Christoph Scholz wrote:
> 
>>Yes. But the import script unfortunately does not seem to work:
>>
> 
> not enough detail...
> did you restart slapd after updating samba.schema?
Actually I did not upgrade from a previous alpha version (i.e a22) but 
started from scratch with samba 3.0 a23. So I have never used another 
samba.schema than the one provided by samba 3.0 a23:

----------------------------------------------------------------------
[root@tokyo root]# diff samba-3.0alpha23/examples/LDAP/samba.schema 
/etc/openldap/schema/samba.schema
[root@tokyo root]#
----------------------------------------------------------------------

Do I need to edit the "samba.schema" file in some way in order to
enable
group mapping?


These are the schemas that are included in slapd.conf:

----------------------------------------------------------------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema
include         /etc/openldap/schema/samba.schema
----------------------------------------------------------------------


Could it be a problem with the ldap ACLs?

----------------------------------------------------------------------
access to *
        by self                         write
        by *                            read
----------------------------------------------------------------------


Which additional details do you need?


Christoph

-- 
Christoph Scholz
University of Bonn, Institut of Computer Science IV
R?merstra?e 164,
D-53117 Bonn, Germany
Phone: +49 228 73 4117
Fax: +49 228 73 4571
mailto:scholz@cs.uni-bonn.de
http://web.informatik.uni-bonn.de/IV/Mitarbeiter/scholz/