thr3ads.net - samba - [Samba] Samba 3.0.1pre3/ldap - Strange gid mappings server side [Dec 2003]

If this information is useful, please help other people find it:
Share via:

Mathieu Nantel

2003-Dec-05 13:55 UTC

[Samba] Samba 3.0.1pre3/ldap - Strange gid mappings server side

Good day,

I'm running some tests with Samba 3.0.1pre3 with an LDAP sam. LDAP has been,
to the best of my abilities, properly populated with the needed group 
mappings. The "net groupmap list" command indeed shows the following:

[root@box bin]# ./net groupmap list
Domain Admins (S-1-5-21-2009448231-1530593524-1969381020-512) -> domadm
Domain Users (S-1-5-21-2009448231-1530593524-1969381020-513) -> domusr
Domain Guests (S-1-5-21-2009448231-1530593524-1969381020-514) -> domgst
Administrators (S-1-5-21-2009448231-1530593524-1969381020-544) -> admins
users (S-1-5-21-2009448231-1530593524-1969381020-545) -> users
Guests (S-1-5-21-2009448231-1530593524-1969381020-546) -> guests
Power Users (S-1-5-21-2009448231-1530593524-1969381020-547) -> pwrusr
Account Operators (S-1-5-21-2009448231-1530593524-1969381020-548) -> acntop
Server Operators (S-1-5-21-2009448231-1530593524-1969381020-549) -> srvop
Print Operators (S-1-5-21-2009448231-1530593524-1969381020-550) -> prtop
Backup Operators (S-1-5-21-2009448231-1530593524-1969381020-551) -> bkpop
Replicator (S-1-5-21-2009448231-1530593524-1969381020-552) -> replic
Domain Computers (S-1-5-21-2009448231-1530593524-1969381020-553) -> domwks
Data (S-1-5-21-2009448231-1530593524-1969381020-9000) -> data
Chem (S-1-5-21-2009448231-1530593524-1969381020-9001) -> chem

- Unix local groups are created (ie domadm,domusr,etc...):

chem::7000:
data::2000:
ntadmin::2800:
admins::544:
users::545:
guests::546:
pwrusr::547:
acntop::548:
srvop::549:
prtop::550:
bkpop::551:
replic::552:
domwks::553:
domadm::512:
domusr::513:
domgst::514:

- And LDAP shows the proper info (as far as my knowledge goes). Here's a 
samply entry, as I know this message is already long enough:

dn: cn=Domain Admins,ou=Groups,dc=ecopiabio,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2009448231-1530593524-1969381020-512
sambaGroupType: 2
displayName: Domain Admins
memberUid: root

Now for the weird behavior: granting access to "Domain Admins" through
Windows
XPs "security" tab (I have acl support compiled in) to a file yields
out the
following facl on the unix side:

user::rwx
group::rw-              #effective:rw-
group:2147483404:r-x            #effective:r-x
mask:rwx
other:r--

GID for "Domain Admins" is fishy. Things look OK on the Windows side
of things
though (in the security tab, Domain Admins is right there with proper 
permissions).

Samba logs show the following few error messages:

  asdasd (192.168.1.52) connect to service data initially as user mat 
(uid=2006, gid=2000) (pid 718)
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_domain_user_groups(371)
  get_domain_user_groups: primary gid of user [mat] is not a Domain group !
  get_domain_user_groups: You should fix it, NT doesn't like that
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_alias_user_groups(219)
  get_alias_user_groups: gid of user mat doesn't exist. Check your
/etc/passwd
and /etc/group files
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
  smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
  Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  
(Insufficient access)
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
  smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
  Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  
(Insufficient access)

Now before this is questionned, gid 2000 (group data) does indeed exist both 
on LDAP and in /etc/group, and is the user's primary GID in ldap and 
/etc/passwd. This one is also leaving me without a clue.

Anyone has an idea on the source of these problems?

Thanks in advance,

-- 
==================================================================Mathieu Nantel
- RHCE,CCNA                       Ecopia BioSciences
Systems Manager                                 (514) 336-2724 x434
nantel@ecopiabio.com
==================================================================[*] Please
avoid sending me Word/Excel/PowerPoint attachments.
 `----> See: http://www.fsf.org/philosophy/no-word-attachments.html
===================================================================

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Dec 2003 - Samba 3.0.1pre3/ldap - Strange gid mappings server side

[Samba] Samba 3.0.1pre3/ldap - Strange gid mappings server side

Possibly Parallel Threads

Wisdom of the Ancients