alexander at nautae.eti.br
2010-Jul-27 18:05 UTC
[Samba] Samba LDAP ignores group information
Hi.
Excuse my English.
I've installed Samba+OpenLDAP as a PDC.
Everything works fine but Samba ignores completely group information.
Linux is ok.
Any clue? I'm going crazy here!
Here's the sittuation:
user: fish1
home dir: /home/reaml/swim/fish1
primary group: swimmers
other groups: smokers
Directory of smoker's group: /home/realm/smokers
Here's an 'ls -l' on smoker's parent dir:
drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers
Here's the share:
[smokers]
comment = Smoking
path = /home/realm/smokers
valid users = @smokers @swimmers @support
public = no
writable = yes
browseable = yes
create mask = 0777
force create mode = 0777
force directory mode = 0777
directory mode = 0777
Here's 'id' information:
# id fish1
uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers)
So, when user fish1 try to enter in 'smokers' share: permission denied.
If I give all permissions to 'others', fish1 can user the share
normally.
This only happen when I try to access using Windows. Linux is ok.
Any idea?
Seems to be an error between Samba and OpenLDAP...
Here's smbldap-usershow:
#smbldap-usershow fish1
dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: fish1
sn: fish1
givenName: fish1
uid: fish1
uidNumber: 1193
gidNumber: 1012
homeDirectory: /home/realm/swim/fish1
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: angela
sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001
sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002
sambaLogonScript: swimmers.bat
sambaProfilePath: \\REALMSERV\profiles\fish1
sambaHomePath: \\REALMSERV\fish1
sambaHomeDrive: U:
sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E
sambaAcctFlags: [U]
sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF
sambaPwdLastSet: 1280219188
sambaPwdMustChange: 2144132788
userPassword: {CRYPT}c28JIqzpe43e
shadowLastChange: 14817
shadowMax: 9999
Here's /etc/ldap.conf
base dc=example,dc=com
uri ldapi:///127.0.0.1
uri ldap://127.0.0.1
ldap_version 3
binddn cn=admin,dc=example,dc=com
bindpw mysecret
rootbinddn cn=admin,dc=example,dc=com
scope sub
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr yes
pam_member_attribute memberUid
pam_password md5
nss_base_passwd ou=people,dc=example,dc=com?sub
nss_base_passwd ou=computers,dc=example,dc=com?sub
nss_base_group ou=groups,dc=example,dc=com?sub
And the smbldap.conf:
SID="S-1-5-21-158730468-2379596502-3695168017"
sambaDomain="REALM"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile=""
clientcert=""
clientkey=""
suffix="dc=example,dc=com"
usersdn="ou=people,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="CRYPT"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="543"
defaultComputerGid="543"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="9999"
userSmbHome="\\REALMSERV\%U"
userProfile="\\REALMSERV\profiles\%U"
userHomeDirectoryMode="700"
userHomeDrive="U:"
userScript="%g.bat"
mailDomain="example.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
And finaly, smb.conf:
workgroup = REALM
netbios name = REALMSERV
server string = My Realm %v
security = user
encrypt passwords = yes
load printers = yes
log file = /var/log/samba/log.%m
max log size = 50
os level = 33
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
#admin users = god
logon script = %g.bat
logon path = \\%L\profiles\%U
#logon path = \\%N\profiles\%U
wins support = no
dns proxy = no
ldap passwd sync = yes
ldap delete dn = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=computers
create mask = 600
directory mask = 0700
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
I'm lost...
[]s
Alexander
Brazil
alexander at nautae.eti.br wrote:> Hi. > > Excuse my English. > > I've installed Samba+OpenLDAP as a PDC. > > Everything works fine but Samba ignores completely group information. > > Linux is ok. > > Any clue? I'm going crazy here! > > Here's the sittuation: > > user: fish1 > home dir: /home/reaml/swim/fish1 > primary group: swimmers > other groups: smokers > > Directory of smoker's group: /home/realm/smokers > > Here's an 'ls -l' on smoker's parent dir: > > drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers > > > Here's the share: > > [smokers] > comment = Smoking > path = /home/realm/smokers > valid users = @smokers @swimmers @support > public = no > writable = yes > browseable = yes > create mask = 0777 > force create mode = 0777 > force directory mode = 0777 > directory mode = 0777 > > Here's 'id' information: > > # id fish1 > uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) > > > So, when user fish1 try to enter in 'smokers' share: permission denied. > > If I give all permissions to 'others', fish1 can user the share normally. > > This only happen when I try to access using Windows. Linux is ok. > > Any idea? > > Seems to be an error between Samba and OpenLDAP... > > Here's smbldap-usershow: > > #smbldap-usershow fish1 > > dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com > objectClass: > top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount > cn: fish1 > sn: fish1 > givenName: fish1 > uid: fish1 > uidNumber: 1193 > gidNumber: 1012 > homeDirectory: /home/realm/swim/fish1 > loginShell: /bin/bash > gecos: System User > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > displayName: angela > sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 > sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 > sambaLogonScript: swimmers.bat > sambaProfilePath: \\REALMSERV\profiles\fish1 > sambaHomePath: \\REALMSERV\fish1 > sambaHomeDrive: U: > sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E > sambaAcctFlags: [U] > sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF > sambaPwdLastSet: 1280219188 > sambaPwdMustChange: 2144132788 > userPassword: {CRYPT}c28JIqzpe43e > shadowLastChange: 14817 > shadowMax: 9999 > > Here's /etc/ldap.conf > > base dc=example,dc=com > uri ldapi:///127.0.0.1 > uri ldap://127.0.0.1 > ldap_version 3 > binddn cn=admin,dc=example,dc=com > bindpw mysecret > rootbinddn cn=admin,dc=example,dc=com > scope sub > bind_policy soft > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_check_host_attr yes > pam_member_attribute memberUid > pam_password md5 > nss_base_passwd ou=people,dc=example,dc=com?sub > nss_base_passwd ou=computers,dc=example,dc=com?sub > nss_base_group ou=groups,dc=example,dc=com?sub > > And the smbldap.conf: > > SID="S-1-5-21-158730468-2379596502-3695168017" > sambaDomain="REALM" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > verify="require" > cafile="" > clientcert="" > clientkey="" > suffix="dc=example,dc=com" > usersdn="ou=people,${suffix}" > computersdn="ou=computers,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" > scope="sub" > hash_encrypt="CRYPT" > userLoginShell="/bin/bash" > userHome="/home/%U" > userGecos="System User" > defaultUserGid="543" > defaultComputerGid="543" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="9999" > userSmbHome="\\REALMSERV\%U" > userProfile="\\REALMSERV\profiles\%U" > userHomeDirectoryMode="700" > userHomeDrive="U:" > userScript="%g.bat" > mailDomain="example.com" > with_smbpasswd="0" > smbpasswd="/usr/bin/smbpasswd" > with_slappasswd="0" > slappasswd="/usr/sbin/slappasswd" > > And finaly, smb.conf: > > workgroup = REALM > netbios name = REALMSERV > server string = My Realm %v > security = user > encrypt passwords = yes > load printers = yes > log file = /var/log/samba/log.%m > max log size = 50 > os level = 33 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > #admin users = god > logon script = %g.bat > logon path = \\%L\profiles\%U > #logon path = \\%N\profiles\%U > wins support = no > dns proxy = no > ldap passwd sync = yes > ldap delete dn = yes > passdb backend = ldapsam:ldap://127.0.0.1 > ldap admin dn = cn=admin,dc=example,dc=com > ldap suffix = dc=example,dc=com > ldap group suffix = ou=groups > ldap user suffix = ou=people > ldap machine suffix = ou=computers > create mask = 600 > directory mask = 0700 > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I'm lost... > > []s > Alexander > Brazil >It sounds as though the groups arn't mapped for windows within samba.. try # net groupmap list does this give you any groups? are the groups your working with included? How did you creat the groups ? smbldap-groupadd I hope?
W dniu 2010-07-27 20:05, alexander at nautae.eti.br pisze:> Hi. > > Excuse my English. > > I've installed Samba+OpenLDAP as a PDC. > > Everything works fine but Samba ignores completely group information. > > Linux is ok. > > Any clue? I'm going crazy here! > > Here's the sittuation: > > user: fish1 > home dir: /home/reaml/swim/fish1 > primary group: swimmers > other groups: smokers > > Directory of smoker's group: /home/realm/smokers > > Here's an 'ls -l' on smoker's parent dir: > > drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers > > > Here's the share: > > [smokers] > comment = Smoking > path = /home/realm/smokers > valid users = @smokers @swimmers @support > public = no > writable = yes > browseable = yes > create mask = 0777 > force create mode = 0777 > force directory mode = 0777 > directory mode = 0777 > > Here's 'id' information: > > # id fish1 > uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) > > > So, when user fish1 try to enter in 'smokers' share: permission denied. > > If I give all permissions to 'others', fish1 can user the share normally. > > This only happen when I try to access using Windows. Linux is ok. > > Any idea? > > Seems to be an error between Samba and OpenLDAP... > > Here's smbldap-usershow: > > #smbldap-usershow fish1 > > dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com > objectClass: > top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount > cn: fish1 > sn: fish1 > givenName: fish1 > uid: fish1 > uidNumber: 1193 > gidNumber: 1012 > homeDirectory: /home/realm/swim/fish1 > loginShell: /bin/bash > gecos: System User > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > displayName: angela > sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 > sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 > sambaLogonScript: swimmers.bat > sambaProfilePath: \\REALMSERV\profiles\fish1 > sambaHomePath: \\REALMSERV\fish1 > sambaHomeDrive: U: > sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E > sambaAcctFlags: [U] > sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF > sambaPwdLastSet: 1280219188 > sambaPwdMustChange: 2144132788 > userPassword: {CRYPT}c28JIqzpe43e > shadowLastChange: 14817 > shadowMax: 9999 > > Here's /etc/ldap.conf > > base dc=example,dc=com > uri ldapi:///127.0.0.1 > uri ldap://127.0.0.1 > ldap_version 3 > binddn cn=admin,dc=example,dc=com > bindpw mysecret > rootbinddn cn=admin,dc=example,dc=com > scope sub > bind_policy soft > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_check_host_attr yes > pam_member_attribute memberUid > pam_password md5 > nss_base_passwd ou=people,dc=example,dc=com?sub > nss_base_passwd ou=computers,dc=example,dc=com?sub > nss_base_group ou=groups,dc=example,dc=com?sub > > And the smbldap.conf: > > SID="S-1-5-21-158730468-2379596502-3695168017" > sambaDomain="REALM" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > verify="require" > cafile="" > clientcert="" > clientkey="" > suffix="dc=example,dc=com" > usersdn="ou=people,${suffix}" > computersdn="ou=computers,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" > scope="sub" > hash_encrypt="CRYPT" > userLoginShell="/bin/bash" > userHome="/home/%U" > userGecos="System User" > defaultUserGid="543" > defaultComputerGid="543" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="9999" > userSmbHome="\\REALMSERV\%U" > userProfile="\\REALMSERV\profiles\%U" > userHomeDirectoryMode="700" > userHomeDrive="U:" > userScript="%g.bat" > mailDomain="example.com" > with_smbpasswd="0" > smbpasswd="/usr/bin/smbpasswd" > with_slappasswd="0" > slappasswd="/usr/sbin/slappasswd" > > And finaly, smb.conf: > > workgroup = REALM > netbios name = REALMSERV > server string = My Realm %v > security = user > encrypt passwords = yes > load printers = yes > log file = /var/log/samba/log.%m > max log size = 50 > os level = 33 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > #admin users = god > logon script = %g.bat > logon path = \\%L\profiles\%U > #logon path = \\%N\profiles\%U > wins support = no > dns proxy = no > ldap passwd sync = yes > ldap delete dn = yes > passdb backend = ldapsam:ldap://127.0.0.1 > ldap admin dn = cn=admin,dc=example,dc=com > ldap suffix = dc=example,dc=com > ldap group suffix = ou=groups > ldap user suffix = ou=people > ldap machine suffix = ou=computers > create mask = 600 > directory mask = 0700 > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I'm lost... > > []s > Alexander > Brazil >What version of Samba? What does this command return: net rpc user info fish1 Daniel