samba - Oct 2011 - windows doesn't detect the correct group memberships

Hi. I have a little problem..

Currently I'm using a LDAP+Samba configuration by using the smbldap-tools.

On a client computer I permitted all members of the groupmapping
(unix: remote windows: ) to use remote desktop by adding this group.
But Windows 7 and Vista are telling me that this user doesn't have the
required privileges for using remote access.. So I tried debugging:

net user /DOMAIN username shows the correct groups but parsing the
grouplist of the windows user only shows local groups and the Domain
Users group (the admin told me that this list should contain the
current user's groups, too)-

Do you have any idea? I appended the current configuration for samba 3.6.0-8.

Florian Scholz
-------------- next part --------------

[global]
        max protocol = SMB2
        workgroup = ASTA
        netbios name = samba
        server string = %h PDC (%v)
        comment = %h PDC (%v)
        interfaces = 10.20.30.253 127.0.0.1
        bind interfaces only = yes
        enable privileges = yes
        time server = yes
        dns proxy = no
        admin users = root,admin
        wide links = no
# PDC
        os level = 65
        security = user
        encrypt passwords = yes
        domain logons = yes
        domain master = yes
        preferred master = yes
        local master = yes
# ldap
        ldap suffix = dc=asta,dc=lan
        ldap machine suffix = ou=Computers
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap admin dn = cn=admin,dc=asta,dc=lan
        ldap passwd sync = yes

idmap config * : backend = ldap
idmap config * : range = 1000-20000

        ldap idmap suffix = ou=Idmap
        ldap ssl = no
        ldap delete dn = no
        ldap passwd sync = yes

        unix password sync = yes
        passdb backend = ldapsam:ldap://192.168.100.253
        passwd program = /usr/bin/passwd %u.
        add user script = /usr/bin/smbldap-useradd -m "%u"
        delete user script = /usr/bin/smbldap-userdel "%u"
        add machine script = /usr/bin/smbldap-useradd -W "%u"
        add group script = /usr/bin/smbldap-groupadd -p "%g"
        delete group script = /usr/bin/smbldap-groupdel "%g"
        add user to group script = /usr/bin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/bin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/bin/smbldap-usermod -g "%g"
"%u"
        template shell = /bin/false
        template homedir = /home/%U
        hide files = /desktop.ini/profile.V2/$RECYCLE.BIN/
        #obey pam restrictions = yes
        client NTLMv2 auth = no
        client lanman auth = no

        logon drive = h:
        logon script = netlogon.bat

        socket options = TCP_NODELAY
        log level = 2 auth:3 smb:3

        log file = /var/log/samba/%U.log
        max log size = 1000


#       map untrusted to domain = yes

        #winbind use default domain = yes
        #winbind enum users = yes
        #winbind enum groups = yes
        #winbind gid = 10000-20000
        #winbind separator = +
[scans]
        comment = Scans
        path = /home/samba/asta/Scans
        browsable = no
        writeable = yes
        create mask = 0777
        directory mask = 0777

[asta]
        comment = asta
        path = /home/samba/asta
        browsable = yes
        writeable = yes
        hide unreadable = yes
        hide special files = yes
        create mask = 0775
        directory mask = 0775

[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        browseable = no
        public = yes
[profiles]
        comment = User Profiles
        create mask = 0700
        directory mask = 0700
        writeable = yes
        browsable = no

[homes]
        comment = Home Directory %U
        create mask = 0755
        directory mask = 0755
        writeable = yes
        browsable = no

[home]
        path = /home
        browsable = no
        writeable = yes
        create mask = 0775
        directory mask = 0775
        valid users = "@Domain Admins", at edv
        admin users = @edv

[0815]
        path = /opt/0815
        browsable = yes
        writeable = yes
        create mask = 0775
        directory mask = 0775
        valid users = "@Domain Users"

On Fri, Oct 21, 2011 at 11:45:41PM +0200, Florian Scholz
wrote:
> Hi. I have a little problem..
> 
> Currently I'm using a LDAP+Samba configuration by using the
smbldap-tools.
> 
> On a client computer I permitted all members of the groupmapping
> (unix: remote windows: ) to use remote desktop by adding this group.
> But Windows 7 and Vista are telling me that this user doesn't have the
> required privileges for using remote access.. So I tried debugging:
> 
> net user /DOMAIN username shows the correct groups but parsing the
> grouplist of the windows user only shows local groups and the Domain
> Users group (the admin told me that this list should contain the
> current user's groups, too)-
> 
> Do you have any idea? I appended the current configuration for samba
3.6.0-8.
>From the 3.6.1 WHATSNEW, marked as fixed:
    * BUG 8455: Samba PDC is looking up only primary user group.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen