samba - Mar 2004 - understanding pam_ldap vs. winbindd

Dear List,

some general question concerning the general understanding
of pam_ldap and winbindd.

I understand winbindd as a daemon who maps existing
Windows User from some SAM (for example NT or samba PDC)
into the unix os level.

On the member server (fileserver with acls) we have pam_ldap
running and over this way there are all users and groups
existing on the os level which we need for samba access.

Do I understand winbindd right in that way that I do not
need winbindd at all in this setup?

	If no, why does I get map errors in the log that
	SIDs cant be mapped to gid or uid?
	(net groupmap list just shows -1 entries,
	 manual groupmaps cant be inserted => error)

	If yes, whats the failure in my logic?

Thanks for all input!

Matthias

P.S.: We were breaking our heads for hours now because
of this groupmap errors.

On Mon, 2004-03-15 at 12:48, Matthias Eichler wrote:
> Dear List,
> 
> some general question concerning the general understanding
> of pam_ldap and winbindd.
> 
> I understand winbindd as a daemon who maps existing
> Windows User from some SAM (for example NT or samba PDC)
> into the unix os level.
> 
> On the member server (fileserver with acls) we have pam_ldap
> running and over this way there are all users and groups
> existing on the os level which we need for samba access.
> 
> Do I understand winbindd right in that way that I do not
> need winbindd at all in this setup?
---
I would agree with that
---
> 	If no, why does I get map errors in the log that
> 	SIDs cant be mapped to gid or uid?
> 	(net groupmap list just shows -1 entries,
> 	 manual groupmaps cant be inserted => error)
> 
> 	If yes, whats the failure in my logic?
---
net groupmap list (would have been nice to see that)

net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain Users"
unixgroup=valid_unix_group type=domain

if groupmap exists for ntgroup, you either must delete it and then add
it or modify it.

Craig

Hi Craig,

On Mon, 2004-03-15 at 21:18, Craig White wrote:
> > Do I understand winbindd right in that way that I do not
> > need winbindd at all in this setup?
> ---
> I would agree with that
That sounds good to me and my logic...:-)
> > 	If no, why does I get map errors in the log that
> > 	SIDs cant be mapped to gid or uid?
> > 	(net groupmap list just shows -1 entries,
> > 	 manual groupmaps cant be inserted => error)
> ---
> net groupmap list (would have been nice to see that)
on the pdc:
---cut---
pfoertner:~# net groupmap list
Domain Admins (S-1-5-21-2443489570-4015384086-1858331161-512) -> root
Domain Users (S-1-5-21-2443489570-4015384086-1858331161-513) -> users
Domain Guests (S-1-5-21-2443489570-4015384086-1858331161-514) -> nogroup
Technik (S-1-5-21-2443489570-4015384086-1858331161-3005) -> technik
Vorstand (S-1-5-21-2443489570-4015384086-1858331161-3003) -> vorstand
Buchhaltung (S-1-5-21-2443489570-4015384086-1858331161-3009) ->
buchhaltung
Marketing (S-1-5-21-2443489570-4015384086-1858331161-3007) -> marketing
Verwaltung (S-1-5-21-2443489570-4015384086-1858331161-3001) ->
verwaltung
---cut---

on the member server:
---cut---
fileserver:~# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
---cut---
> net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain Users"
> unixgroup=valid_unix_group type=domain
> if groupmap exists for ntgroup, you either must delete it and
> then add it or modify it.
OK, maybe this was what I was misunderstanding:
I thought that with security=DOMAIN the groupmaps
should be some kind of resolved between PDC and
the members server or at least with groupmap = -1
I have to create them which didnt work.

Thanks a lot!
You solved our problem.

Matthias

* Matthias Eichler <mylists@ame.de> nulis:
> on the member server:
> ---cut---
> fileserver:~# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
> Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> ---cut---
> 
> > net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain
Users"
> > unixgroup=valid_unix_group type=domain
> > if groupmap exists for ntgroup, you either must delete it and
> > then add it or modify it.
> 
> OK, maybe this was what I was misunderstanding:
> I thought that with security=DOMAIN the groupmaps
> should be some kind of resolved between PDC and
> the members server or at least with groupmap = -1
> I have to create them which didnt work.
> 
Groupmapping was stored on ldap (if using ldapsam), so for every samba machine
you wish to obtain the mapping should using same backend.



--beast

On Tue, 2004-03-16 at 01:53, Beast wrote:
> * Matthias Eichler <mylists@ame.de> nulis:
> 
> > on the member server:
> > ---cut---
> > fileserver:~# net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Guests (S-1-5-32-546) -> -1
> > Power Users (S-1-5-32-547) -> -1
> > Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
> > Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > ---cut---
> > 
> > > net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain
Users"
> > > unixgroup=valid_unix_group type=domain
> > > if groupmap exists for ntgroup, you either must delete it and
> > > then add it or modify it.
> > 
> > OK, maybe this was what I was misunderstanding:
> > I thought that with security=DOMAIN the groupmaps
> > should be some kind of resolved between PDC and
> > the members server or at least with groupmap = -1
> > I have to create them which didnt work.
> > 
> 
> Groupmapping was stored on ldap (if using ldapsam), so for every samba
machine you wish to obtain the mapping should using same backend.
---
seems to me the choice for member server is either to be a slave ldap
(necessary for BDC but not for member server) or winbind.

Craig