I have a network of about 100+ users with a Samba 3.0.25 server with an LDAP backend that I configured myself (with some help). Recently I have had to add about 300 more users to my system and now I need to get a slightly less technical person to help me manage the accounts. I've been happily using smbldap-tools all of this time, but when I showed what I do to my hapless trainee, her eyes started to glaze over. So as an alternative I'd like to start using the 'User Manager for Domains' in the SRVTOOLS.EXE archive. She might find the point and click of it all more friendly. Only thing is, when I start up User Manager, I can see all the users, but I can't see the groups. So I did a bit of checking and found that nowhere are those available as a list. Not even 'net rpc group list' will give me a list, even though if I add someone to my Domain Admins group everything works correctly. At the windows workstation end I can access the groups by name, to set the permissions of a share to certain group, etc. but I can't list them as I can the users.I've checked all the files... smb.conf,ldap.conf,slapd.conf,smbldap.conf and the Groups directive matches up with the right ldap 'ou' and so on. Has anyone any pointers?
rayklassen@gmail.com
2009-Jan-30 08:30 UTC
[Samba] User Manager for Domains -- Groups not showing
Currently ... passwd: files ldap shadow: files ldap group: files ldap yeah the unix end of things is perfectly happy with ldap getent passwd | grep root gives me both the /etc/passwd and ldap entries getent group |grep Domain\ Users gives me the ldap samba group Group Mappings are just fine. except no list through samba... On Jan 30, 2009 12:17am, "LPH van Belle" <obell@bazuin.nl> wrote:> hi, > > > > check > > nsswitch.conf > > should have something like.. > > > > passwd: compat ldap > > group: compat ldap > > shadow: compat ldap > > > > > > Louis > > >-----Oorspronkelijk bericht----- > > >Van: rayklassen@gmail.com > > >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens > > >Ray Klassen > > >Verzonden: 2009-01-30 09:14 > > >Aan: samba@lists.samba.org > > >Onderwerp: [Samba] User Manager for Domains -- Groups not showing > > > > > >I have a network of about 100+ users with a Samba 3.0.25 server with > > >an LDAP backend that I configured myself (with some help). Recently I > > >have had to add about 300 more users to my system and now I need to > > >get a slightly less technical person to help me manage the accounts. > > >I've been happily using smbldap-tools all of this time, but when I > > >showed what I do to my hapless trainee, her eyes started to glaze > > >over. So as an alternative I'd like to start using the 'User Manager > > >for Domains' in the SRVTOOLS.EXE archive. She might find the point and > > >click of it all more friendly. Only thing is, when I start up User > > >Manager, I can see all the users, but I can't see the groups. So I did > > >a bit of checking and found that nowhere are those available as a > > >list. Not even 'net rpc group list' will give me a list, even though > > >if I add someone to my Domain Admins group everything works correctly. > > >At the windows workstation end I can access the groups by name, to set > > >the permissions of a share to certain group, etc. but I can't list > > >them as I can the users.I've checked all the files... > > >smb.conf,ldap.conf,slapd.conf,smbldap.conf and the Groups directive > > >matches up with the right ldap 'ou' and so on. Has anyone any > > >pointers? > > >-- > > >To unsubscribe from this list go to the following URL and read the > > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > >
Jeremy Allison
2009-Jan-30 18:28 UTC
[Samba] User Manager for Domains -- Groups not showing
On Fri, Jan 30, 2009 at 12:13:45AM -0800, Ray Klassen wrote:> I have a network of about 100+ users with a Samba 3.0.25 server with > an LDAP backend that I configured myself (with some help). Recently I > have had to add about 300 more users to my system and now I need to > get a slightly less technical person to help me manage the accounts. > I've been happily using smbldap-tools all of this time, but when I > showed what I do to my hapless trainee, her eyes started to glaze > over. So as an alternative I'd like to start using the 'User Manager > for Domains' in the SRVTOOLS.EXE archive. She might find the point and > click of it all more friendly. Only thing is, when I start up User > Manager, I can see all the users, but I can't see the groups. So I did > a bit of checking and found that nowhere are those available as a > list. Not even 'net rpc group list' will give me a list, even though > if I add someone to my Domain Admins group everything works correctly. > At the windows workstation end I can access the groups by name, to set > the permissions of a share to certain group, etc. but I can't list > them as I can the users.I've checked all the files... > smb.conf,ldap.conf,slapd.conf,smbldap.conf and the Groups directive > matches up with the right ldap 'ou' and so on. Has anyone any > pointers?There was a bug in earlier versions of the smbldap-tools that creates groups with the wrong sid-type. I'd suggest upgrading to 3.0.34 (latest 3.0.x release) and then ensuring the group-type is changed in your LDAP db (I think it should be type 5, rather than type 4 but this could be the other way around :-). Jeremy.
kb9vqf@pearsoncomputing.net
2009-Feb-02 06:20 UTC
[Samba] Samba 4--are multiple domain administrators possible?
I tried granting the user admin privileges via the Windows XP domain user management console (after adding them to the "Domain Admins" group), but this had no effect. Do I have to do something permissions-wise on the Linux end? Thank you, Timothy Pearson> you can add a person to a domain admin group, but if you don't grant them > privileges to do admin task he/she will not be able to do the > administration > that you want so grant him/her the task to admin and you will see that the > status will change > > -------------------------------------------------- > From: <kb9vqf@pearsoncomputing.net> > Sent: 02/01/2009 8:50 PM > To: <samba@lists.samba.org> > Subject: [Samba] Samba 4--are multiple domain administrators possible? > >> I have a quick question for someone knowledgeable in Samba 4: >> I recently set up a Samba 4 test server, utilizing the built-in LDAP >> server, and joined an Windows XP client to it. After logging in with >> the >> precreated "administrator" account I then attempted to add another user >> and grant that user domain administrator privileges by adding him to the >> "Domain Admins" group. >> >> When I logged in under the new user, I was completely locked out of any >> administrative tasks, even though that user was showing up under the >> "Domain Admins" group. Does Samba 4 not yet understand multiple domain >> administrators, or did I do something wrong? >> >> Thank you for any assistance you can offer. Samba 4 is quite impressive >> even in alpha! >> >> Timothy Pearson >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Volker Lendecke
2009-Feb-02 18:17 UTC
[Samba] User Manager for Domains -- Groups not showing
On Mon, Feb 02, 2009 at 09:16:06AM -0800, Ray Klassen wrote:> One sanitized debug lo coming up. This is not using user manager for > domains. This is with net rpc group list. > > > > What you need to do is provide a debug level 10 log of smbd > > trying to enumerate groups. > > > > Volker > > > > smbldap_search_paged: base => [ou=Groups,dc=thisdomain,dc=com], > filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))],scope > => [2], pagesize => [1024] > [2009/02/02 08:41:20, 5] lib/smbldap.c:smbldap_search_ext(1182) > smbldap_search_ext: base => [ou=Groups,dc=thisdomain,dc=com], filter > => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))], > scope => [2] > [2009/02/02 08:41:20, 3] lib/smbldap.c:smbldap_search_paged(1333) > smbldap_search_paged: search was successfull > [2009/02/02 08:41:20, 10] rpc_server/srv_samr_nt.c:_samr_query_dispinfo(1289) > samr_reply_query_dispinfo: starting group enumeration at index 0 > [2009/02/02 08:41:20, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2009/02/02 08:41:20, 5] rpc_parse/parse_samr.c:init_sam_dispinfo_3(1810) > init_sam_dispinfo_3: num_entries: 0To me this looks as if you don't have any groups in your LDAP tree under ou=Groups,dc=thisdomain,dc=com. You should be able to do the exact same search with ldapsearch: ldapsearx -x -b ou=Groups,dc=thisdomain,dc=com '(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))' and see what comes back. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090202/facebb96/attachment.bin