System: I am running RedHat 8.0 (2.4.18-14smp) with SAMBA 2.7 and user authentication against OpenLDAP 2.1.22. Problem: On RedHat, Put over (I think 70 or so) users within a secondary group. Got to Konqueror or Nautilus and try to change a directory's permissions to that group with over 70 or so users in it, (it may be 80 or 90 users), YOU CAN NOT assign that group to have ownership of that directory or any directory. It will revert back to what the ownership was before. You CAN NOT assign the group rights with a chmod either. MANDRAKE 8.2 WILL ALLOW THIS, HOWEVER! DOES ANYONE know what I may be missing on Redhat? This is killing me! Thanks! mbrown@mesainc.com
On Fri, 2004-01-09 at 12:27, MICHAEL BROWN wrote:> System: > I am running RedHat 8.0 (2.4.18-14smp) with SAMBA 2.7 and user > authentication against OpenLDAP 2.1.22. > > Problem: > On RedHat, Put over (I think 70 or so) users within a secondary group. > Got to Konqueror or Nautilus and try to change > a directory's permissions to that group with over 70 or so users in it, > (it may be 80 or 90 users), YOU CAN NOT assign that > group to have ownership of that directory or any directory. It will > revert back to what the ownership was before. You CAN NOT > assign the group rights with a chmod either. > > MANDRAKE 8.2 WILL ALLOW THIS, HOWEVER! > > DOES ANYONE know what I may be missing on Redhat? This is killing me!---- This isn't a Red Hat problem - I do this all the time. This is a configuration problem. getent group #does it list the groups in /etc/group first and then #the groups in LDAP? chmod problems? are you trying to change the mount? The mount is owned by whomever made the mount just to show you that it works on samba... [root@linserv1 samba]# mkdir test [root@linserv1 samba]# chown "Craig White"."Domain Users" test [root@linserv1 samba]# ls -l total 14 <data snipped for clarity> drwxr-xr-x 2 Craig White Domain Users 4096 Jan 9 14:13 test [root@linserv1 samba]# grep "Craig White" /etc/passwd [root@linserv1 samba]# grep "Domain Users" /etc/group [root@linserv1 samba]# getent passwd|grep "Craig White" Craig White:x:1003:1008:System User:/home/users/Craig White:/bin/false [root@linserv1 samba]# getent group|grep "Domain Users" Domain Users:x:1008:root,artstation,Administrator,catchalladv,catchallpr,nkelley,kbenedetto,cmullen,cnassa,dgibson,dmitchell,efigg,equijada,jconcors,jgrammond,jwhittle,khageman,lhjerpstedt,lschnebly,mlalone,mmotta,msmith,msparks,mwilliams,pshannon,rcrisman,spainter,scooperman,sstrauss,test,dwaddle check your /etc/nsswitch.conf Craig
Thanks for your reply Craig. Yes, getent DOES show the group and users correctly and yes, I have tried switching the nsswitch.conf file to: group: ldap files nis but that does not work either. What DOES work, I found this out a little while ago, is setting the directory to the GID within LDAP like: chown :5011 /home/test 5011 is the name of the group with the number of users above 60 or 70. Samba will authenticate correctly like this. Any group with the total user count below that number, (60 or 70), will allow me to use the actual name of the group but if you go above that number in the secondary groups, it does not recognize the name on ANY Redhat machine that I have in production. As I stated earlier, I have no problem on Mandrake 8.2>>> Craig White <craigwhite@azapple.com> Friday, January 09, 2004 >>>On Fri, 2004-01-09 at 12:27, MICHAEL BROWN wrote:> System: > I am running RedHat 8.0 (2.4.18-14smp) with SAMBA 2.7 and user > authentication against OpenLDAP 2.1.22. > > Problem: > On RedHat, Put over (I think 70 or so) users within a secondarygroup.> Got to Konqueror or Nautilus and try to change > a directory's permissions to that group with over 70 or so users init,> (it may be 80 or 90 users), YOU CAN NOT assign that > group to have ownership of that directory or any directory. It will > revert back to what the ownership was before. You CAN NOT > assign the group rights with a chmod either. > > MANDRAKE 8.2 WILL ALLOW THIS, HOWEVER! > > DOES ANYONE know what I may be missing on Redhat? This is killingme! ---- This isn't a Red Hat problem - I do this all the time. This is a configuration problem. getent group #does it list the groups in /etc/group first and then #the groups in LDAP? chmod problems? are you trying to change the mount? The mount is owned by whomever made the mount just to show you that it works on samba... [root@linserv1 samba]# mkdir test [root@linserv1 samba]# chown "Craig White"."Domain Users" test [root@linserv1 samba]# ls -l total 14 <data snipped for clarity> drwxr-xr-x 2 Craig White Domain Users 4096 Jan 9 14:13 test [root@linserv1 samba]# grep "Craig White" /etc/passwd [root@linserv1 samba]# grep "Domain Users" /etc/group [root@linserv1 samba]# getent passwd|grep "Craig White" Craig White:x:1003:1008:System User:/home/users/Craig White:/bin/false [root@linserv1 samba]# getent group|grep "Domain Users" Domain Users:x:1008:root,artstation,Administrator,catchalladv,catchallpr,nkelley,kb enedetto,cmullen,cnassa,dgibson,dmitchell,efigg,equijada,jconcors,jgrammond, jwhittle,khageman,lhjerpstedt,lschnebly,mlalone,mmotta,msmith,msparks,mwilli ams,pshannon,rcrisman,spainter,scooperman,sstrauss,test,dwaddle check your /etc/nsswitch.conf Craig
Also Craig, Your example group below "Domain Users" only has, if I count correctly, 31 users. You have to get up to about 70-80 or so before you see what I am seeing. My groups work as well with that few of users within the secondary groups =)>>> Craig White <craigwhite@azapple.com> Friday, January 09, 2004 >>>On Fri, 2004-01-09 at 12:27, MICHAEL BROWN wrote:> System: > I am running RedHat 8.0 (2.4.18-14smp) with SAMBA 2.7 and user > authentication against OpenLDAP 2.1.22. > > Problem: > On RedHat, Put over (I think 70 or so) users within a secondarygroup.> Got to Konqueror or Nautilus and try to change > a directory's permissions to that group with over 70 or so users init,> (it may be 80 or 90 users), YOU CAN NOT assign that > group to have ownership of that directory or any directory. It will > revert back to what the ownership was before. You CAN NOT > assign the group rights with a chmod either. > > MANDRAKE 8.2 WILL ALLOW THIS, HOWEVER! > > DOES ANYONE know what I may be missing on Redhat? This is killingme! ---- This isn't a Red Hat problem - I do this all the time. This is a configuration problem. getent group #does it list the groups in /etc/group first and then #the groups in LDAP? chmod problems? are you trying to change the mount? The mount is owned by whomever made the mount just to show you that it works on samba... [root@linserv1 samba]# mkdir test [root@linserv1 samba]# chown "Craig White"."Domain Users" test [root@linserv1 samba]# ls -l total 14 <data snipped for clarity> drwxr-xr-x 2 Craig White Domain Users 4096 Jan 9 14:13 test [root@linserv1 samba]# grep "Craig White" /etc/passwd [root@linserv1 samba]# grep "Domain Users" /etc/group [root@linserv1 samba]# getent passwd|grep "Craig White" Craig White:x:1003:1008:System User:/home/users/Craig White:/bin/false [root@linserv1 samba]# getent group|grep "Domain Users" Domain Users:x:1008:root,artstation,Administrator,catchalladv,catchallpr,nkelley,kb enedetto,cmullen,cnassa,dgibson,dmitchell,efigg,equijada,jconcors,jgrammond, jwhittle,khageman,lhjerpstedt,lschnebly,mlalone,mmotta,msmith,msparks,mwilli ams,pshannon,rcrisman,spainter,scooperman,sstrauss,test,dwaddle check your /etc/nsswitch.conf Craig
On Fri, 2004-01-09 at 14:42, MICHAEL BROWN wrote:> Thanks for your reply Craig. > > Yes, getent DOES show the group and users correctly and yes, I have > tried switching the nsswitch.conf file to: > > group: ldap files nis > > but that does not work either. > What DOES work, I found this out a little while ago, is setting the > directory to the GID within LDAP like: > chown :5011 /home/test > 5011 is the name of the group with the number of users above 60 or 70. > Samba will authenticate correctly like this. > Any group with the total user count below that number, (60 or 70), will > allow me to use the actual name of the group but > if you go above that number in the secondary groups, it does not > recognize the name on ANY Redhat machine that I have in production. > As I stated earlier, I have no problem on Mandrake 8.2---- OK - got it... nscd - Name Caching Server Daemon According to the very famous Mr. Terpstra's How-to Guide, you must shut this off if you use winbind If you don't use winbind... service nscd restart Necessary sometimes after you adjust /etc/nsswitch.conf because the caching remains in place. and by the way, I think you will find life is easier if you set passwd: files ldap nisplus #only use nisplus if you use nisplus in #your network otherwise, don't use group: files ldap (and of course, if you change this setup, best to restart the nscd service to clear the existing cache. Craig Craig
That is not it either Craig. I have tried it with nscd and without in the past and neither worked =( By the way, my nsswitch.conf is set to: group: files ldap I just tried putting ldap in front to see if it had any bearing on the situation. Any other ideas? Do you have a secondary group with 70-80 users in it? Oh yea, the PRIMARY groups with over 70 and up ARE recognized. It is just the secondary groups.>>> Craig White <craigwhite@azapple.com> Friday, January 09, 2004 >>>On Fri, 2004-01-09 at 14:42, MICHAEL BROWN wrote:> Thanks for your reply Craig. > > Yes, getent DOES show the group and users correctly and yes, I have > tried switching the nsswitch.conf file to: > > group: ldap files nis > > but that does not work either. > What DOES work, I found this out a little while ago, is setting the > directory to the GID within LDAP like: > chown :5011 /home/test > 5011 is the name of the group with the number of users above 60 or70.> Samba will authenticate correctly like this. > Any group with the total user count below that number, (60 or 70),will> allow me to use the actual name of the group but > if you go above that number in the secondary groups, it does not > recognize the name on ANY Redhat machine that I have in production. > As I stated earlier, I have no problem on Mandrake 8.2---- OK - got it... nscd - Name Caching Server Daemon According to the very famous Mr. Terpstra's How-to Guide, you must shut this off if you use winbind If you don't use winbind... service nscd restart Necessary sometimes after you adjust /etc/nsswitch.conf because the caching remains in place. and by the way, I think you will find life is easier if you set passwd: files ldap nisplus #only use nisplus if you use nisplus in #your network otherwise, don't use group: files ldap (and of course, if you change this setup, best to restart the nscd service to clear the existing cache. Craig Craig
On Fri, 2004-01-09 at 14:49, MICHAEL BROWN wrote:> Also Craig, > Your example group below "Domain Users" only has, if I count correctly, > 31 users. You have to get up to about 70-80 or so before you see what I > am seeing. My groups work as well with that few of users within the > secondary groups =)--- IIRC - there was a limit of 1024 characters per 'line' which would be the group itself. Craig
I thought that the 1024 was only linked to the /etc/group file itself. Do you think that this could be the problem? If so, how does one get around that limitation??>>> Craig White <craigwhite@azapple.com> Friday, January 09, 2004 >>>On Fri, 2004-01-09 at 14:49, MICHAEL BROWN wrote:> Also Craig, > Your example group below "Domain Users" only has, if I countcorrectly,> 31 users. You have to get up to about 70-80 or so before you seewhat I> am seeing. My groups work as well with that few of users within the > secondary groups =)--- IIRC - there was a limit of 1024 characters per 'line' which would be the group itself. Craig
On Fri, 2004-01-09 at 15:21, MICHAEL BROWN wrote:> I thought that the 1024 was only linked to the /etc/group file itself. > Do you think that this could be the problem? If so, how does one get > around that limitation?? > > >>> Craig White <craigwhite@azapple.com> Friday, January 09, 2004 >>> > On Fri, 2004-01-09 at 14:49, MICHAEL BROWN wrote: > > Also Craig, > > Your example group below "Domain Users" only has, if I count > correctly, > > 31 users. You have to get up to about 70-80 or so before you see > what I > > am seeing. My groups work as well with that few of users within the > > secondary groups =) > --- > IIRC - there was a limit of 1024 characters per 'line' which would be > the group itself. > > Craig---- I had one last thought (assuming that the problem isn't in the version of ldap that you are using - you might wish to check with padl) are the SID's from your group and your local machine the same? [root@linserv2 config]# ldapsearch -x -h localhost -D \ 'cn=root,o=DOMAIN,c=US' -W '(cn=users-all)' Enter LDAP Password: version: 2 # # filter: (cn=users-all) # requesting: ALL # # users-all, Groups, DOMAIN, US dn: cn=users-all,ou=Groups,o=DOMAIN,c=US objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: users-all userPassword:: e2NyeXB0fXggidNumber: 1000 memberUid: kbenedetto memberUid: Administrator memberUid: catchalladv memberUid: catchallpr memberUid: nkelley sambaSID: S-1-5-21-1292501092-333717336-619646970-513 sambaGroupType: 2 displayName: Domain Users description: Local Unix group # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@linserv2 config]# net getlocalsid SID for domain LINSERV2 is: S-1-5-21-1292501092-333717336-619646970 obvious the GID has the group # suffixed at the end but are otherwise the same Craig