samba - Oct 2006 - windows doesn't show groups in security tab of file properties

Hello,

I've a Samba 3.0.23c-SerNet-Debian PDC (no BDC or anything) connected to 
OpenLDAP. I thought it would work smoothly, I didn't discover any 
problems until today.

I'am trying to create a ntconfig.pol with poledit, but it doesn't show 
me any groups to add to the policy. I can see all the users by the way.
To eleminate a poledit problem I used the security tab (in german it's 
name is 'Sicherheitseinstellungen') of the file properties dialog to 
test the availability of groups on the Windows 2000 client.
If I try to add a user to a file (either a local one on an NTFS drive, 
or one on the PDC) it only shows me local groups and users and the users 
on the PDC, but I can not see any groups from the PDC.

The funny thing is, that in the security tab the name of the group a 
file on the PDC belongs to is shown correctly, so the resolution of a 
given groupname and SID seems to work.

By the way I tested this behavior on a second Win 2000 vmware instance 
and it's exactly the same.

I checked the output of 'getent groups' on the PDC, they look good (see 
below).
root:x:0:
[...]
ssh:x:103:
administrators:x:999:admin
domain guests:x:10004:
domain machines:x:10005:
buchhaltung:x:1003:ya
honorar:x:1004:ya
intern:x:1007:hm,madt,ya
print_ops:x:1008:administrator
domain_admins:x:10003:administrator
igm:x:1002:hm,madt,ya
dev:x:1006:
software:x:1009:
bpm:x:1005:
pem:x:1010:hm,madt
domain_users:x:10002:administrator,hm,ya,madt
wks_admin:x:1011:administrator,ya


I checked the groupmapping, which also looks good (see below).
domain guests (S-1-5-21-XXX-514) -> domain guests
domain machines (S-1-5-21-XXX-516) -> domain machines
buchhaltung (S-1-5-21-XXX-3007) -> buchhaltung
honorar (S-1-5-21-XXX-3009) -> honorar
intern (S-1-5-21-XXX-3015) -> intern
print_ops (S-1-5-21-XXX-3017) -> print_ops
domain_admins (S-1-5-21-XXX-512) -> domain_admins
igm (S-1-5-21-XXX-3005) -> igm
dev (S-1-5-21-XXX-3013) -> dev
software (S-1-5-21-XXX-3019) -> software
bpm (S-1-5-21-XXX-3011) -> bpm
pem (S-1-5-21-XXX-3021) -> pem
domain_users (S-1-5-21-XXX-513) -> domain_users
wks_admin (S-1-5-21-XXX-3023) -> wks_admin


I looked in the logs (debug level=1) and didn't see anything related to 
my problem (see below):
[2006/10/09 14:49:52, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service profiles initially as 
user administrator (uid=0, gid=10003) (pid 3087)
Could not connect to server sunshine
Connection failed: NT_STATUS_IO_TIMEOUT
[2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service netlogon initially as 
user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
  sunshine (10.1.10.194) closed connection to service profiles
[2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
  sunshine (10.1.10.194) closed connection to service netlogon
[2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service administrator 
initially as user administrator (uid=0, gid=10003) (pid 3087)
Could not connect to server sunshine
Connection failed: NT_STATUS_IO_TIMEOUT
[2006/10/09 14:50:16, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service netlogon initially as 
user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:50:21, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service administrator 
initially as user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service administrator 
initially as user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service temp initially as 
user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:51:56, 1] smbd/service.c:make_connection_snum(941)
  sunshine (10.1.10.194) signed connect to service temp initially as 
user administrator (uid=0, gid=10003) (pid 3087)
[2006/10/09 14:52:31, 0] lib/util_sock.c:read_data(534)
  read_data: read failure for 4 bytes to client 10.1.10.194. Error = Die 
Verbindung wurde vom Kommunikationspartner zur?ckgesetzt
[2006/10/09 15:00:06, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Verbindungsaufbau abgelehnt
The last one comes once every hour, I've to check that later on.


I hope someone has an idea where to look at and what the reason for this 
behaviour can be.

Regards,
Mario Minati

Hi,
I would like to repeat my question (no groups shown in windows acl 
editor) as I didn't find a solution to my problem. I googled a lot and 
found many questions on that topic, but no helped me out of my troubles.

Gerald Carter wrote:
> If they show up in the ACL editor editor for example,
> they should show up in the policy editor as well.
> on Samba DCs, on mapped groups will show up though.
I read it, but for me my groupmapping looks good, even with the changes 
in the group mapping stuff in Samba 3.0.23:
> domain guests (S-1-5-21-XXX-514) -> domain guests
> domain machines (S-1-5-21-XXX-516) -> domain machines
> buchhaltung (S-1-5-21-XXX-3007) -> buchhaltung
> honorar (S-1-5-21-XXX-3009) -> honorar
> intern (S-1-5-21-XXX-3015) -> intern
> print_ops (S-1-5-21-XXX-3017) -> print_ops
> domain_admins (S-1-5-21-XXX-512) -> domain_admins
> igm (S-1-5-21-XXX-3005) -> igm
> dev (S-1-5-21-XXX-3013) -> dev
> software (S-1-5-21-XXX-3019) -> software
> bpm (S-1-5-21-XXX-3011) -> bpm
> pem (S-1-5-21-XXX-3021) -> pem
> domain_users (S-1-5-21-XXX-513) -> domain_users
> wks_admin (S-1-5-21-XXX-3023) -> wks_admin
Probably I'm just to blind to see the point, could you please give me a 
hint what to check / test next?

One thing I am not 100% sure about is, if I need winbindd.
As I only have one Samba PDC with LDAP with Win2000 and WinXP Clients 
and no other DCs I think I don't need winbindd, right?

Thank you,
Mario Minati

Mario Minati schrieb:
> Hello,
>
> I've a Samba 3.0.23c-SerNet-Debian PDC (no BDC or anything) connected 
> to OpenLDAP. I thought it would work smoothly, I didn't discover any 
> problems until today.
>
> I'am trying to create a ntconfig.pol with poledit, but it doesn't
show
> me any groups to add to the policy. I can see all the users by the way.
> To eleminate a poledit problem I used the security tab (in german it's 
> name is 'Sicherheitseinstellungen') of the file properties dialog
to
> test the availability of groups on the Windows 2000 client.
> If I try to add a user to a file (either a local one on an NTFS drive, 
> or one on the PDC) it only shows me local groups and users and the 
> users on the PDC, but I can not see any groups from the PDC.
>
> The funny thing is, that in the security tab the name of the group a 
> file on the PDC belongs to is shown correctly, so the resolution of a 
> given groupname and SID seems to work.
>
> By the way I tested this behavior on a second Win 2000 vmware instance 
> and it's exactly the same.
>
> I checked the output of 'getent groups' on the PDC, they look good 
> (see below).
> root:x:0:
> [...]
> ssh:x:103:
> administrators:x:999:admin
> domain guests:x:10004:
> domain machines:x:10005:
> buchhaltung:x:1003:ya
> honorar:x:1004:ya
> intern:x:1007:hm,madt,ya
> print_ops:x:1008:administrator
> domain_admins:x:10003:administrator
> igm:x:1002:hm,madt,ya
> dev:x:1006:
> software:x:1009:
> bpm:x:1005:
> pem:x:1010:hm,madt
> domain_users:x:10002:administrator,hm,ya,madt
> wks_admin:x:1011:administrator,ya
>
>
> I checked the groupmapping, which also looks good (see below).
> domain guests (S-1-5-21-XXX-514) -> domain guests
> domain machines (S-1-5-21-XXX-516) -> domain machines
> buchhaltung (S-1-5-21-XXX-3007) -> buchhaltung
> honorar (S-1-5-21-XXX-3009) -> honorar
> intern (S-1-5-21-XXX-3015) -> intern
> print_ops (S-1-5-21-XXX-3017) -> print_ops
> domain_admins (S-1-5-21-XXX-512) -> domain_admins
> igm (S-1-5-21-XXX-3005) -> igm
> dev (S-1-5-21-XXX-3013) -> dev
> software (S-1-5-21-XXX-3019) -> software
> bpm (S-1-5-21-XXX-3011) -> bpm
> pem (S-1-5-21-XXX-3021) -> pem
> domain_users (S-1-5-21-XXX-513) -> domain_users
> wks_admin (S-1-5-21-XXX-3023) -> wks_admin
>
>
> I looked in the logs (debug level=1) and didn't see anything related 
> to my problem (see below):
> [2006/10/09 14:49:52, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service profiles initially 
> as user administrator (uid=0, gid=10003) (pid 3087)
> Could not connect to server sunshine
> Connection failed: NT_STATUS_IO_TIMEOUT
> [2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service netlogon initially 
> as user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
>  sunshine (10.1.10.194) closed connection to service profiles
> [2006/10/09 14:50:05, 1] smbd/service.c:close_cnum(1141)
>  sunshine (10.1.10.194) closed connection to service netlogon
> [2006/10/09 14:50:05, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service administrator 
> initially as user administrator (uid=0, gid=10003) (pid 3087)
> Could not connect to server sunshine
> Connection failed: NT_STATUS_IO_TIMEOUT
> [2006/10/09 14:50:16, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service netlogon initially 
> as user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:50:21, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service administrator 
> initially as user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service administrator 
> initially as user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:50:25, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service temp initially as 
> user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:51:56, 1] smbd/service.c:make_connection_snum(941)
>  sunshine (10.1.10.194) signed connect to service temp initially as 
> user administrator (uid=0, gid=10003) (pid 3087)
> [2006/10/09 14:52:31, 0] lib/util_sock.c:read_data(534)
>  read_data: read failure for 4 bytes to client 10.1.10.194. Error = 
> Die Verbindung wurde vom Kommunikationspartner zur?ckgesetzt
> [2006/10/09 15:00:06, 0] printing/print_cups.c:cups_cache_reload(85)
>  Unable to connect to CUPS server localhost - Verbindungsaufbau abgelehnt
> The last one comes once every hour, I've to check that later on.
>
>
> I hope someone has an idea where to look at and what the reason for 
> this behaviour can be.
>
> Regards,
> Mario Minati