Chris Slack
2004-Mar-15 13:59 UTC
[Samba] Group Mapping Problems with Samba 3.0.2a & OpenLDAP 2.2.6
Hello all,
I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 for
my user/group authentication backend. So far everything seems to be working
properly, I can join the domain from a Win2k PC, login via an account
created with smbldap-useradd.pl, map my home directory, run the proper login
script, etc. However, with all of that working I'm still having
difficulties getting group mapping to work.
I've run through the steps in the Samba HOWTO manual and tried everything
else I could find on the web but I'm stumped at this point.
When I type:
net groupmap list
I get nothing, when I type:
net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup="Domain
Admins"
I get the message "adding entry for group Domain Admins failed!".
I've
tried several permutations of this using different groups, I've tried adding
groups to the local /etc/group file to see if it was having an issue with
LDAP, but nothing seems to help. I can't seem to find anyone else who has
had this problem and like I said, everything else is working fine. Attached
to the bottom of this message is a dump from testparm with the details of my
/etc/samba/smb.conf file.
Please let me know if anyone can give me any suggestions.
Thanks,
Chris Slack
IT System Administrator
Mercy Ships
M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa
www.mercyships.org
----------------------------------------------------------------------------
--------------------------------------------------------
[root@herm2 /etc]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[nobody]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = CHANNEL
server string = Samba Server
null passwords = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *New*password* %n\n *ReType*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/local/sbin/smbldap-useradd.pl -m -d
/dev/null -g 553 -s /bin/false %u
add machine script = /usr/local/sbin/smbldap-useradd.pl -m -d
/dev/null -g 553 -s /bin/false %u
logon script = login.js
logon path = \\%L\Profiles\%U
logon drive = X:
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap port = 389
ldap suffix = "ou=MSAN,dc=ana,dc=mercyships,dc=org"
ldap admin dn = "cn=Manager,dc=ana,dc=mercyships,dc=org"
ldap ssl = no
[homes]
comment = Home Directories
read only = No
browseable = No
[nobody]
comment = to prevent from user nobody from having a home share
path = /dev/null
browseable = No
[netlogon]
comment = Network Logon Service
path = /msu/netlogon
browseable = No
share modes = No
root preexec = /usr/local/bin/mkuserconfig.pl %U
root postexec = rm /msu/netlogon/%U.conf
[Profiles]
path = /msu1/Profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
browseable = No
Clint Sharp
2004-Mar-15 21:56 UTC
[Samba] Group Mapping Problems with Samba 3.0.2a & OpenLDAP 2.2.6
On Mon, 15 Mar 2004, Chris Slack wrote:> Hello all, > > I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 for > my user/group authentication backend. So far everything seems to be working > properly, I can join the domain from a Win2k PC, login via an account > created with smbldap-useradd.pl, map my home directory, run the proper login > script, etc. However, with all of that working I'm still having > difficulties getting group mapping to work. > > I've run through the steps in the Samba HOWTO manual and tried everything > else I could find on the web but I'm stumped at this point. > > When I type: > > net groupmap list > > I get nothing, when I type: > > net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain > Admins" > > I get the message "adding entry for group Domain Admins failed!". I've > tried several permutations of this using different groups, I've tried adding > groups to the local /etc/group file to see if it was having an issue with > LDAP, but nothing seems to help. I can't seem to find anyone else who has > had this problem and like I said, everything else is working fine. Attached > to the bottom of this message is a dump from testparm with the details of my > /etc/samba/smb.conf file. > > Please let me know if anyone can give me any suggestions. > > Thanks, > > Chris Slack > IT System Administrator > Mercy Ships > M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa > www.mercyships.org >Chris, What do your LDAP logs show samba is sending as the queries? In the past when I've had this problem it was related to my ldap suffix. User queries worked, but group queries did not (I had groups in a seperate ou from users). However, your user and group suffixes are not set in your smb.conf, so it's not the exact same problem I had. Please send me the output from a: net -d3 groupmap list Clint
Ganael Laplanche
2004-Mar-16 15:06 UTC
[Samba] Group Mapping Problems with Samba 3.0.2a & OpenLDAP 2.2.6
Hi, Didn't you forget to create a posixGroup entry for the group you're trying to add ? 1 - Create your group in /etc/group groupadd somegroup 2 - Add this entry to your Ldap directory : dn: cn=somegroup,ou=Groups,dc=domain,dc=com objectClass: posixGroup cn: somegroup gidNumber: 1003 (modify the dn and gid to match your needs...) Once this entry added, you should be able to map "somegroup" to any Windows group... Good luck, Gana?l LAPLANCHE ganael.laplanche@martymac.com http://www.martymac.com Tel : (+33)6.84.03.57.24. ---------- Original Message ----------- From: "Chris Slack" <christopher.slack@mercyships.org> To: <samba@lists.samba.org> Sent: Mon, 15 Mar 2004 13:58:34 -0000 Subject: [Samba] Group Mapping Problems with Samba 3.0.2a & OpenLDAP 2.2.6> Hello all, > > I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 > for my user/group authentication backend. So far everything seems to > be working properly, I can join the domain from a Win2k PC, login via > an account created with smbldap-useradd.pl, map my home directory, run > the proper login script, etc. However, with all of that working I'm > still having difficulties getting group mapping to work. > > I've run through the steps in the Samba HOWTO manual and tried everything > else I could find on the web but I'm stumped at this point. > > When I type: > > net groupmap list > > I get nothing, when I type: > > net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain > Admins" > > I get the message "adding entry for group Domain Admins failed!". I've > tried several permutations of this using different groups, I've tried adding > groups to the local /etc/group file to see if it was having an issue with > LDAP, but nothing seems to help. I can't seem to find anyone else who > has had this problem and like I said, everything else is working fine. > Attached to the bottom of this message is a dump from testparm with > the details of my /etc/samba/smb.conf file. > > Please let me know if anyone can give me any suggestions. > > Thanks, > > Chris Slack > IT System Administrator > Mercy Ships > M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa > www.mercyships.org > > ---------------------------------------------------------------------------- > -------------------------------------------------------- > > [root@herm2 /etc]# testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Processing section "[nobody]" > Processing section "[netlogon]" > Processing section "[Profiles]" > Loaded services file OK. > Server role: ROLE_DOMAIN_PDC > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = CHANNEL > server string = Samba Server > null passwords = Yes > passdb backend = ldapsam:ldap://127.0.0.1/ > passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u > passwd chat = *New*password* %n\n *ReType*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > unix password sync = Yes > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > add user script = /usr/local/sbin/smbldap-useradd.pl -m -d > /dev/null -g 553 -s /bin/false %u > add machine script = /usr/local/sbin/smbldap-useradd.pl -m -d > /dev/null -g 553 -s /bin/false %u > logon script = login.js > logon path = \\%L\Profiles\%U > logon drive = X: > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap port = 389 > ldap suffix = "ou=MSAN,dc=ana,dc=mercyships,dc=org" > ldap admin dn = "cn=Manager,dc=ana,dc=mercyships,dc=org" > ldap ssl = no > > [homes] > comment = Home Directories > read only = No > browseable = No > > [nobody] > comment = to prevent from user nobody from having a home share > path = /dev/null > browseable = No > > [netlogon] > comment = Network Logon Service > path = /msu/netlogon > browseable = No > share modes = No > root preexec = /usr/local/bin/mkuserconfig.pl %U > root postexec = rm /msu/netlogon/%U.conf > > [Profiles] > path = /msu1/Profiles > read only = No > create mask = 0600 > directory mask = 0700 > guest ok = Yes > browseable = No > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba------- End of Original Message -------