Data Control Systems - Mike Elkevizth
2004-Aug-26 13:52 UTC
[Samba] LDAP backend not mapping permissions properly and other problems
Sorry this is so long, but I think it is all relevant. I also have an output from pdbedit with log level 10 if needed. First, the latest problem I have noticed. When I create a new directory on the server, samba creates the files properly and gives them the proper permissions on the server, but when I look at the file security properties (Right click,Properties, Security Tab) I don't get the files proper information. The user and group are both in the LDAP directory with samba SIDs, but I get two groups that are not even related to the file and don't get the user and group that are assigned to the file. I have tried to run winbindd, but it doesn't work at all, I got it to connect to the LDAP server by changing my configuration, and it looks in the log like it starts fine, but when I run wbinfo -u it gives me "error looking up users", wbinfo -g gives me 3 BUILTN groups, and wbinfo -D gives me my domain info. Since my domain is purely made of samba servers though, I'm not even sure if I should be running winbindd. I am wondering if this has anything to do with the fact that the new smbldap-tools scripts require a entry with an objectClass=sambaUnixIdPool as does the Idmap entry. I had to change the scripts from searching "(objectclass=sambaUnixIdPool)" to search for "(cn=NextFreeUnixId)" in order to get the scripts to work, because they kept giving me a "can't find next available uidNumber" error. An ldapsearch for "(objectclass=sambaUnixIdPool)" gives this:> ldapsearch -x "(objectclass=sambaunixidpool)"# extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=sambaunixidpool) # requesting: ALL # # Idmap, ldap.dcs dn: ou=Idmap,dc=ldap,dc=dcs objectClass: organizationalUnit objectClass: sambaUnixIdPool ou: Idmap uidNumber: 10000 gidNumber: 10000 # NextFreeUnixId, ldap.dcs dn: cn=NextFreeUnixId,dc=ldap,dc=dcs objectClass: inetOrgPerson objectClass: sambaUnixIdPool gidNumber: 1000 cn: NextFreeUnixId sn: NextFreeUnixId uidNumber: 1012 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 History, I am trying (and have been for about six months) to build a small distributed network (between 3 offices per VPN w/10 users 4 mobile) and I can't figure it out. I purchased a "Samba 3 by Example" book and have followed it and keep getting strange errors. I have 4 servers, one PDC and one BDC at the main office and a BDC at each of the other offices (they really aren't there yet because I'm trying to make it work first). All of them are running Fedora Core 2 with samba 3.0.6. They each have a dhcp and dns server on them which operate fine, and sync together properly where needed. They all run OpenLDAP and that runs great on all of them, the PDC runs the master and the BDCs are all slaves. Also, I get weird errors from "User Manager for Domains". I can change passwords properly from the Ctl-Alt-Delete Change Password method and it changes both the unix and the samba passwords. If I try to change a users password other than the administrator's (linux uid=0) in the "User Manager for Domains" it works fine, if I try to do anything to adminstrator though, it gives me a "the group name could not be found" error. Then if I go into the Domain Admins group, it doesn't show the administrator as being a member, although he is in the ldap directory, so I try to put the administrator in and it gives me a "the user does not belong to this group" error. I also have noticed I can't set the password must change at next logon for any user. I am using smbldap-tools version 0.8.5 (the latest from their website). Mike Elkevizth smb.conf: [global] # Basic settings workgroup = dcs netbios name = dcs004 server string = Hartville PDC Server security = user show add printer wizard = no # Network settings time server = yes wins support = yes name resolve order = wins bcast hosts smb ports = 139 445 hosts allow = 192.168.5. 192.168.6. 192.168.7. 127. # Domain control options os level = 99 local master = yes preferred master = yes domain master = yes domain logons = yes logon script = %U.bat logon path = \\%L\profile # Password change and create options for domain control unix password sync = yes passwd chat timeout = 10 ldap delete dn = yes lanman auth = no passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" encrypt passwords = yes passwd program = /usr/sbin/smbldap-passwd -u %u add machine script = /usr/sbin/smbldap-useradd -w '%u' add user script = /usr/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c # LDAP settings ldap timeout = 10 passdb backend = ldapsam:ldap://localhost idmap backend = ldap:ldap://dcs004.dcs ldap ssl = start_tls ldap admin dn = cn=sambauser,ou=DSA,dc=ldap,dc=dcs ldap suffix = dc=ldap,dc=dcs ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap replication sleep = 1000 idmap uid = 10000-20000 idmap gid = 10000-20000 # Log settings log level = 10 log file = /var/log/samba/log.%m max log size = 50 syslog = 2 [profile] path = /home/%U/.winprof read only = no browseable = no profile acls = yes create mask = 0771 directory mask = 2770 force directory mode = 2770 map system = yes map hidden = yes hide files = /RECYCLER/desktop.ini/ [My Documents] path = /home/%U/Documents read only = no browseable = no create mask = 0771 directory mask = 2770 force directory mode = 2770 map system = yes map hidden = yes hide files = /RECYCLER/desktop.ini/ [netlogon] path = /home/netlogon comment = Network Logon Service guest ok = yes locking = no read only = yes browseable = no write list = administrator create mask = 0775 directory mask = 2774 map system = yes map hidden = yes hide files = /RECYCLER/desktop.ini/ [DCS] path = /common/dcs comment = Common files for Data Control Systems read only = no create mask = 0770 directory mask = 2770 force directory mode = 2770 [QB] path = /common/quickbooks comment = Backup of Quickbooks company files read only = no oplocks = no level2 oplocks = no hide unreadable = yes create mask = 0770 directory mask = 2770 force directory mode = 2770 [Software] path = /common/software comment = Backup of common program installation files read only = yes write list = administrator [Users] comment = Users' home directories browseable = no valid users = @"Domain Admins" write list = @"Domain Admins" path = /home [Backup] path = /common/backup comment = Backups of deleted or changed files valid users = administrator msp browseable = no [IPC$] path = /tmp
Seemingly Similar Threads
- Windows XP local services not starting automatically after joining samba domain
- struggling with smbldap_tools
- NT4 migration errors
- smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."
- Question on approach to authenticate Linux against Samba4
Wisdom of the Ancients
