Hello, hello I'm writing you this email because when i want to set up a password policy with LDAP, this one isn't recognize by samba. In the log i've got this : ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11)) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2)) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0)) When i look with LdapAdmin, i don't have SID like this. Why ldap check this SID if they don't exist ? Thanks for you help Flake P.S.: I don't past files, because I don't know which one could help -- C?dric CARLEN ?l?ve-ing?nieur ? TELECOM Lille 1 Promotion FI15 ? 06.59.42.81.55
You may need to set up unix groups and domain mappings for some additional windows "well known groups" (google for windows well known groups.) on my server I can see my group mappings: # net groupmap list ..... Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers .... Authenticated Users (S-1-5-11) -> Authenticated Users Network (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone .... So #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx rid="S-1-5-11" Or you can update in ldap. On 06/07/12 05:56, C?dric Carlen wrote:> Hello, hello > > I'm writing you this email because when i want to set up a password policy > with LDAP, this one isn't recognize by samba. > > In the log i've got this : > > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0)) > > When i look with LdapAdmin, i don't have SID like this. Why ldap check this > SID if they don't exist ? > > Thanks for you help > > Flake > > P.S.: I don't past files, because I don't know which one could help >
Well known groups are things like "Domain Administrators" and "Administrators" - they always have the same SID or RID (relative ID.) With an LDAP backend, you may have windbind/idmap automatically allocating unix group id's so this may be hidden from you. In my environment I support linux clients (ssh and nfs) so I still have to manage unix uid's and gid's. it means I also have to create unix groups that represented any windows groups. On the unix server, as root in a unix session, can you see the owner, group and permissions on the files you are creating from windows? If you run "pdbedit -Lv somesambauser" you should see the name of the unix account for that user. Is there a mismatch? Can you set file permissions via unix so that the windows users can see them? Have you defined any force user, force group or force mask options on the file share? -----Original Message----- From: Murthy [mailto:msganti8 at gmail.com] Sent: Thursday, June 07, 2012 6:49 PM To: gaiseric.vandal at gmail.com Subject: Re: [Samba] ldapsam_getgroup Hello: I am not sure what you mean by setup Unix groups and domain mappings for additional windows "well known groups". I tried the following experiment. I changed the permissions on the directory to 777 and mapped it to a share. I am able to see all the directories in that share directory (i.e all sub-directories). However, I cannot see any individual files. Same thing happens if a create new subdirectories. I can see newly created sub-directories but I cannot see any individual files. I have been working on this for about 3 days now. I am really frustrated why things have to to so complicated. Murthy On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote:> You may need to set up unix groups and domain mappings for some > additional windows "well known groups" (google for windows well known > groups.) > > > > > on my server I can see my group mappings: > > # net groupmap list > ..... > Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users > Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers > (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers > > .... > Authenticated Users (S-1-5-11) -> Authenticated Users Network > (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone .... > > > So > > #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx > rid="S-1-5-11" > > Or you can update in ldap. > > > > On 06/07/12 05:56, C?dric Carlen wrote: >> Hello, hello >> >> I'm writing you this email because when i want to set up a passwordpolicy>> with LDAP, this one isn't recognize by samba. >> >> In the log i've got this : >> >> ldapsam_getgroup: Did not find group, filter was >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11)) >> ldapsam_getgroup: Did not find group, filter was >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2)) >> ldapsam_getgroup: Did not find group, filter was >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0)) >> >> When i look with LdapAdmin, i don't have SID like this. Why ldap checkthis>> SID if they don't exist ? >> >> Thanks for you help >> >> Flake >> >> P.S.: I don't past files, because I don't know which one could help >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
That looks good. Not all well known groups need to be mapped. Domain Admins
is one of the groups that needs to be. I would add mappings for
?Authenticated Users? and some of the other ones just to rule them out as
causing problems, although I don?t really think is the issue. I don?t make
heavy use of group policies but I do see that ?authenticated users? appear in
some policies.
Group ?33901? has such a high GID- is it allocated by Winbind or IDMAP. Can
you post your sanitized idmap and group sections of smb.conf
On my machine (Samba 3.5.x PDC, winbind/idmap not used for users or groups in
the domain)
# pdbedit -Lv | more
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_DOMAIN_NAME))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
My guess is that your system has allocated group 33901 as your default samba
user group or some critical well known windows group. Maybe idmap created
the group in one section of the ldap tree (or in a local TDB file ) but the main
samba process does not search for groups. What does the following show?
#wbinfo ?g
#wbinfo --gid-info=33901
You can also use wbinfo to lookup the gid from sid or vice versa. Or you can
browse the idmap created groups with an ldap editor.
From: C?dric Carlen [mailto:carlen.cedric at gmail.com]
Sent: Friday, June 08, 2012 3:25 AM
To: gaiseric.vandal at gmail.com
Subject: Re: [Samba] ldapsam_getgroup
The net groupmap list give me :
Domain Admins (S-1-5-21-2027065376-1956064403-1110974320-512) -> Domain
Admins
Domain Users (S-1-5-21-2027065376-1956064403-1110974320-513) -> Domain Users
Domain Guests (S-1-5-21-2027065376-1956064403-1110974320-514) -> Domain
Guests
Domain Computers (S-1-5-21-2027065376-1956064403-1110974320-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
2012/6/8 C?dric Carlen <carlen.cedric at gmail.com>
Hi,
When I make pdbedit -Lv Test there is a problem :
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=39901))
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=39901))
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-2027065376-1956064403-1110974320-513] count=0
I have the SID S-1-5-21-2027065376-1956064403-1110974320-513, but not the
gidNumver 39901 in my base.
Do you think that it could be the fact that samba doesn't recognize the
password policy of LDAP ???
C?dric
2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com>
Well known groups are things like "Domain Administrators" and
"Administrators" - they always have the same SID or RID (relative
ID.)
With an LDAP backend, you may have windbind/idmap automatically allocating
unix group id's so this may be hidden from you. In my environment I
support linux clients (ssh and nfs) so I still have to manage unix uid's and
gid's. it means I also have to create unix groups that represented any
windows groups.
On the unix server, as root in a unix session, can you see the owner, group
and permissions on the files you are creating from windows? If you run
"pdbedit -Lv somesambauser" you should see the name of the unix
account for
that user. Is there a mismatch? Can you set file permissions via unix
so that the windows users can see them? Have you defined any force user,
force group or force mask options on the file share?
-----Original Message-----
From: Murthy [mailto:msganti8 at gmail.com]
Sent: Thursday, June 07, 2012 6:49 PM
To: gaiseric.vandal at gmail.com
Subject: Re: [Samba] ldapsam_getgroup
Hello:
I am not sure what you mean by setup Unix groups and domain mappings for
additional windows "well known groups".
I tried the following experiment. I changed the permissions on the directory
to 777 and mapped it to a share.
I am able to see all the directories in that share directory (i.e all
sub-directories). However, I cannot see any individual files. Same thing
happens if a create new subdirectories. I can see newly created
sub-directories but I cannot see any individual files.
I have been working on this for about 3 days now. I am really frustrated why
things have to to so complicated.
Murthy
On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote:
> You may need to set up unix groups and domain mappings for some
> additional windows "well known groups" (google for windows well
known
> groups.)
>
>
>
>
> on my server I can see my group mappings:
>
> # net groupmap list
> .....
> Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users
> Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers
> (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers
>
> ....
> Authenticated Users (S-1-5-11) -> Authenticated Users Network
> (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone ....
>
>
> So
>
> #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx
> rid="S-1-5-11"
>
> Or you can update in ldap.
>
>
>
> On 06/07/12 05:56, C?dric Carlen wrote:
>> Hello, hello
>>
>> I'm writing you this email because when i want to set up a password
policy>> with LDAP, this one isn't recognize by samba.
>>
>> In the log i've got this :
>>
>> ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))
>> ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))
>> ldapsam_getgroup: Did not find group, filter was
>> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))
>>
>> When i look with LdapAdmin, i don't have SID like this. Why ldap
check
this>> SID if they don't exist ?
>>
>> Thanks for you help
>>
>> Flake
>>
>> P.S.: I don't past files, because I don't know which one could
help
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
C?dric CARLEN
?l?ve-ing?nieur ? TELECOM Lille 1
Promotion FI15
? 06.59.42.81.55
--
C?dric CARLEN
?l?ve-ing?nieur ? TELECOM Lille 1
Promotion FI15
? 06.59.42.81.55
Is this machine configured as a PDC? I partially misread your earlier e-mail- I missed that you had typed "pdbedit -Lv Test" rather than "pdbedit -Lv." What does "getent passwd Test" show? I would guess it will show that Test has a primary group of "39901." I would guess that group "39901" does not exist OR is in a part of the ldap tree that samba does not search for groups. You could have samba configured (in smb.conf) to create idmap entries in "ou=idmap,dc=mydomain,dc=com" while your "ldap group suffix" points to "ou=groups,dc=mydomain,dc=com." you may want to explicitly set your user's primary group to a group you know is valid. If my setup, users have a primary group called, for example, "research." The research group is defined in ldap as both a unix group and windows group. It has a SID so that "net groupmap list" will show it as a valid mapping. I have a lot of ldap groups - they don't all need to be defined as samba (windows) groups but any groups that are either "well known windows" groups or primary user groups are. On 06/08/12 08:18, C?dric Carlen wrote:> The wbinfo commande doesn't work in my server ^^, > > but when i tape pdbedit -Lv | more, i've got : > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAINTEST))] > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > The LDAP server is successfully connected > smbldap_search_paged: base => [dc=my,dc=test], filter => > [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pag > esize => [1024] > smbldap_search_paged: search was successful > init_sam_from_ldap: Entry found for user: root > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > init_sam_from_ldap: Entry found for user: nobody > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=65534)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=65534)) > init_sam_from_ldap: Entry found for user: kimdotcom > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > init_sam_from_ldap: Entry found for user: Test > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > init_sam_from_ldap: Entry found for user: test1 > init_group_from_ldap: Entry found for group: 513 > > > 2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com > <mailto:gaiseric.vandal at gmail.com>> > > That looks good. Not all well known groups need to be mapped. > Domain Admins is one of the groups that needs to be. I would > add mappings for ?Authenticated Users? and some of the other ones > just to rule them out as causing problems, although I don?t really > think is the issue. I don?t make heavy use of group policies but > I do see that ?authenticated users? appear in some policies. > > > > Group ?33901? has such a high GID- is it allocated by Winbind or > IDMAP. Can you post your sanitized idmap and group sections of > smb.conf > > > > On my machine (Samba 3.5.x PDC, winbind/idmap not used for users > or groups in the domain) > > > > # pdbedit -Lv | more > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_DOMAIN_NAME))] > > smbldap_open_connection: connection opened > > ldap_connect_system: successful connection to the LDAP server > > > > > > My guess is that your system has allocated group 33901 as your > default samba user group or some critical well known windows > group. Maybe idmap created the group in one section of the > ldap tree (or in a local TDB file ) but the main samba process > does not search for groups. What does the following show? > > > > #wbinfo ?g > > #wbinfo --gid-info=33901 > > > > You can also use wbinfo to lookup the gid from sid or vice versa. > Or you can browse the idmap created groups with an ldap editor. > > > > > > *From:*C?dric Carlen [mailto:carlen.cedric at gmail.com > <mailto:carlen.cedric at gmail.com>] > *Sent:* Friday, June 08, 2012 3:25 AM > > > *To:* gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com> > *Subject:* Re: [Samba] ldapsam_getgroup > > > > The net groupmap list give me : > > > > Domain Admins (S-1-5-21-2027065376-1956064403-1110974320-512) -> > Domain Admins > > Domain Users (S-1-5-21-2027065376-1956064403-1110974320-513) -> > Domain Users > > Domain Guests (S-1-5-21-2027065376-1956064403-1110974320-514) -> > Domain Guests > > Domain Computers (S-1-5-21-2027065376-1956064403-1110974320-515) > -> Domain Computers > > Administrators (S-1-5-32-544) -> Administrators > > Account Operators (S-1-5-32-548) -> Account Operators > > Print Operators (S-1-5-32-550) -> Print Operators > > Backup Operators (S-1-5-32-551) -> Backup Operators > > Replicators (S-1-5-32-552) -> Replicators > > > > > > 2012/6/8 C?dric Carlen <carlen.cedric at gmail.com > <mailto:carlen.cedric at gmail.com>> > > Hi, > > > > When I make pdbedit -Lv Test there is a problem : > > > > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > > ldapsam_getsampwsid: Unable to locate SID > [S-1-5-21-2027065376-1956064403-1110974320-513] count=0 > > > > I have the SID S-1-5-21-2027065376-1956064403-1110974320-513, but > not the gidNumver 39901 in my base. > > > > Do you think that it could be the fact that samba doesn't > recognize the password policy of LDAP ??? > > > > C?dric > > > > > > 2012/6/8 Gaiseric Vandal <gaiseric.vandal at gmail.com > <mailto:gaiseric.vandal at gmail.com>> > > Well known groups are things like "Domain Administrators" and > "Administrators" - they always have the same SID or RID (relative > ID.) > With an LDAP backend, you may have windbind/idmap automatically > allocating > unix group id's so this may be hidden from you. In my environment I > support linux clients (ssh and nfs) so I still have to manage unix > uid's and > gid's. it means I also have to create unix groups that > represented any > windows groups. > > On the unix server, as root in a unix session, can you see the > owner, group > and permissions on the files you are creating from windows? If > you run > "pdbedit -Lv somesambauser" you should see the name of the unix > account for > that user. Is there a mismatch? Can you set file permissions > via unix > so that the windows users can see them? Have you defined any > force user, > force group or force mask options on the file share? > > > > > > -----Original Message----- > From: Murthy [mailto:msganti8 at gmail.com <mailto:msganti8 at gmail.com>] > Sent: Thursday, June 07, 2012 6:49 PM > To: gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com> > Subject: Re: [Samba] ldapsam_getgroup > > Hello: > > I am not sure what you mean by setup Unix groups and domain > mappings for > additional windows "well known groups". > > I tried the following experiment. I changed the permissions on the > directory > to 777 and mapped it to a share. > I am able to see all the directories in that share directory (i.e all > sub-directories). However, I cannot see any individual files. Same > thing > happens if a create new subdirectories. I can see newly created > sub-directories but I cannot see any individual files. > > I have been working on this for about 3 days now. I am really > frustrated why > things have to to so complicated. > > Murthy > > > > On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote: > > > You may need to set up unix groups and domain mappings for some > > additional windows "well known groups" (google for windows well > known > > groups.) > > > > > > > > > > on my server I can see my group mappings: > > > > # net groupmap list > > ..... > > Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users > > Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers > > (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers > > > > .... > > Authenticated Users (S-1-5-11) -> Authenticated Users Network > > (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone .... > > > > > > So > > > > #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx > > rid="S-1-5-11" > > > > Or you can update in ldap. > > > > > > > > On 06/07/12 05:56, C?dric Carlen wrote: > >> Hello, hello > >> > >> I'm writing you this email because when i want to set up a password > policy > >> with LDAP, this one isn't recognize by samba. > >> > >> In the log i've got this : > >> > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11)) > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2)) > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0)) > >> > >> When i look with LdapAdmin, i don't have SID like this. Why > ldap check > this > >> SID if they don't exist ? > >> > >> Thanks for you help > >> > >> Flake > >> > >> P.S.: I don't past files, because I don't know which one could help > >> > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > C?dric CARLEN > ?l?ve-ing?nieur ? TELECOM Lille 1 > Promotion FI15 > ?06.59.42.81.55 > > > > > > -- > C?dric CARLEN > ?l?ve-ing?nieur ? TELECOM Lille 1 > Promotion FI15 > ?06.59.42.81.55 > > > > > -- > C?dric CARLEN > ?l?ve-ing?nieur ? TELECOM Lille 1 > Promotion FI15 > ? 06.59.42.81.55 >