Granzow, Matt (MED, Adecco)
2003-Oct-01 15:23 UTC
[Samba] Group mapping, among other problems
Hopefully I can write this out so someone understands it.
We are currently running a number of Solaris servers, to which windows
computers need to connect. Currently they connect via NFS using
hummingbird's NFS client. This requires them to have a separate unix
account along with their windows account.
Our idea is to implement samba 3.0.0 to eliminate that NFS client.
My current problems are:
#1, when I mount my share (in either windows or unix using smbclient), I
am not getting the proper permissions. We have a group (lets call it
happy) in both unix, and in our windows domain. with winbind, the
domain\happy group obviously isn't getting the same GID as the unix
happy group. the share we are working on is 0775, so I can't write to
it when I connect using my domain acct. in net groupmap a mapping for
the group domain\happy = happy, and in my username.map file, I have * domain\*.
What else do I need to setup to get this working? using
getent group I only get one group in my domain, but when I run wbinfo -g
I get the full list. getent passwd gets me all the users in the domain,
so I don't understand what is so broken about groups.
#2, when I have something mounted, and I run smbstatus (or click status
from swat), it will just hang where it is finding who is connected.
Here is a copy of my smb.conf file. hopefully it will help someone
figure this out. yes winbind is running, and it has a computer account
in the domain. wbinfo works. ntlm_auth works. So I know I'm close,
but I just can't figure out this last part. and yes, I do need that
many uid's if I have to use winbind enum users = yes
[global]
workgroup = ourdomain
netbios name = BOXEN
server string = Samba %v on %L
security = DOMAIN
password server = pdc
username map = /usr/local/samba/lib/username.map
username level = 2
log file = /var/log/samba/samba.%m
max open files = 20000
load printers = No
preferred master = No
local master = No
domain master = No
kernel oplocks = No
ldap ssl = no
idmap uid = 10000-45000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
create mask = 0775
directory mask = 0775
mangled names = No
oplocks = No
level2 oplocks = No
[smbview]
comment = viewstorage
path = /smbview
read only = No
writable = yes
/smbview is 0775 and so are all the files in it. All i need to do is
get users that authenticate via samba to get the proper group assigned
when they connect.
Thanks for any help!
Mathew Granzow
Granzow, Matt (MED, Adecco) wrote:> Hopefully I can write this out so someone understands it. > > We are currently running a number of Solaris servers, to which windows > computers need to connect. Currently they connect via NFS using > hummingbird's NFS client. This requires them to have a separate unix > account along with their windows account. > > Our idea is to implement samba 3.0.0 to eliminate that NFS client. > > My current problems are: > > #1, when I mount my share (in either windows or unix using smbclient), I > am not getting the proper permissions. We have a group (lets call it > happy) in both unix, and in our windows domain. with winbind, the > domain\happy group obviously isn't getting the same GID as the unix > happy group. the share we are working on is 0775, so I can't write to > it when I connect using my domain acct. in net groupmap a mapping for > the group domain\happy = happy, and in my username.map file, I have * > domain\*. What else do I need to setup to get this working? using > getent group I only get one group in my domain, but when I run wbinfo -g > I get the full list. getent passwd gets me all the users in the domain, > so I don't understand what is so broken about groups. > > #2, when I have something mounted, and I run smbstatus (or click status > from swat), it will just hang where it is finding who is connected. > > Here is a copy of my smb.conf file. hopefully it will help someone > figure this out. yes winbind is running, and it has a computer account > in the domain. wbinfo works. ntlm_auth works. So I know I'm close, > but I just can't figure out this last part. and yes, I do need that > many uid's if I have to use winbind enum users = yes > > [global] > workgroup = ourdomain > netbios name = BOXEN > server string = Samba %v on %L > security = DOMAIN > password server = pdc > username map = /usr/local/samba/lib/username.map > username level = 2 > log file = /var/log/samba/samba.%m > max open files = 20000 > load printers = No > preferred master = No > local master = No > domain master = No > kernel oplocks = No > ldap ssl = no > idmap uid = 10000-45000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > create mask = 0775 > directory mask = 0775 > mangled names = No > oplocks = No > level2 oplocks = No > > [smbview] > comment = viewstorage > path = /smbview > read only = No > writable = yes > > /smbview is 0775 and so are all the files in it. All i need to do is > get users that authenticate via samba to get the proper group assigned > when they connect. > > Thanks for any help! > Mathew GranzowI think that I have the same problem. My setup : - PDC on RH9 (Samba3 RPM + small Jeremy %S patch + remove of -g in Make to avoid crunching the disks), SAM on ldapsam. Works nice (I gave up FreeBSD 5.1). - Member server on Solaris 9, Samba 3 + %S patch, using Winbind. Winbind works quite nicely for users, ksh recognises ~user, I get the right conversions for SID to uid, uid to SID, and so on... But not for groups. In fact, I think that the group mapping code for winbind is a little bit too fast. Let me explain : Here are my group definitions in LDIF format : dn: cn=Domain Admins,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2025 gidNumber: 512 displayName: Domain Admins memberUid: Administrator memberUid: root memberUid: jerome memberUid: david sambaGroupType: 2 objectClass: posixGroup objectClass: sambaGroupMapping description: Local Unix group cn: Domain Admins dn: cn=domusers,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2027 gidNumber: 513 displayName: Domain Users sambaGroupType: 2 memberUid: jerome memberUid: david memberUid: henri memberUid: mytest memberUid: mytest2 description: Utilisateurs du domaine objectClass: posixGroup objectClass: sambaGroupMapping cn: domusers dn: cn=Domain Guests,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2029 gidNumber: 514 displayName: Domain Guests sambaGroupType: 2 objectClass: posixGroup objectClass: sambaGroupMapping description: Local Unix group cn: Domain Guests Notice the gidNumbers, and the SID numbers, which are ?dans la ligne du parti?: sid-suffix = 1000 + gid*2 + 1 Now, let have a look to conversion when trying to resolve groups on the Solaris member server (with net rpc group list) : System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-3209628119-1617240125-1967951502-512) -> -1 Domain Guests (S-1-5-21-3209628119-1617240125-1967951502-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Users (S-1-5-21-3209628119-1617240125-1967951502-513) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 Seems to me that the SID are a little bit mangled with gidNumbers... This is all the information I have at hand for now, If you need more information, you'll have to wait until thrusday. Regards, J?r?me