I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
logon.bat, I call a script called ifmember.exe. This script can list out the
groups a user is a member of. It is reporting that my root user is a member
of the group 'engr.' I don't know if this is a bug with
ifmember.exe or if
it's an issue in Samba or in LDAP. Here is some relevant data:
oink:/etc/smbldap-tools # smbldap-groupshow engr
dn: cn=engr,ou=groups,dc=borkholder,dc=com
cn: engr
gidNumber: 1001
memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
objectClass: top,posixGroup,sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
oink:/usr/local/sbin # ./smbldap-usershow root
dn: cn=root,ou=people,dc=borkholder,dc=com
objectClass: account,posixAccount,top,sambaSamAccount
cn: root
uid: root
uidNumber: 0
gidNumber: 0
loginShell: /bin/bash
homeDirectory: /root
displayName: root
sambaPwdCanChange: 1095966471
sambaPwdMustChange: 2147483647
sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1095966471
sambaAcctFlags: [U ]
userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
oink:/usr/local/sbin # net groupmap list
acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins
Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users
Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) ->
Workgroup Computers
Administrators (S-1-5-32-544) -> Administrators
acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist
engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
Is there anywhere else I can look to see why this command thinks I'm a
member
of the engr group? I'm using nss_ldap on the server for authentication as
well.
Misty
I'm responding to my own message below with more data.
oink:/home # net rpc group members engr
Password:
CORP1\root
smbldap-groupmod -x root engr
...
0000 307: SEQUENCE {
0004 1: INTEGER = 3
0007 300: [APPLICATION 4] {
000B 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com'
0033 256: SEQUENCE {
0037 12: SEQUENCE {
0039 2: STRING = 'cn'
003D 6: SET {
003F 4: STRING = 'engr'
0045 : }
0045 : }
0045 19: SEQUENCE {
0047 9: STRING = 'gidNumber'
0052 6: SET {
0054 4: STRING = '1001'
005A : }
005A : }
005A 21: SEQUENCE {
005C 11: STRING = 'displayName'
0069 6: SET {
006B 4: STRING = 'engr'
0071 : }
0071 : }
0071 21: SEQUENCE {
0073 14: STRING = 'sambaGroupType'
0083 3: SET {
0085 1: STRING = '2'
0088 : }
0088 : }
0088 59: SEQUENCE {
008A 9: STRING = 'memberUid'
0095 46: SET {
0097 3: STRING = 'pat'
009C 5: STRING = 'chuck'
00A3 6: STRING = 'jeremy'
00AB 5: STRING = 'jerry'
00B2 4: STRING = 'paul'
00B8 5: STRING = 'roger'
00BF 4: STRING = 'todd'
00C5 : }
00C5 : }
00C5 51: SEQUENCE {
00C7 11: STRING = 'objectClass'
00D4 36: SET {
00D6 3: STRING = 'top'
00DB 10: STRING = 'posixGroup'
00E7 17: STRING = 'sambaGroupMapping'
00FA : }
00FA : }
00FA 59: SEQUENCE {
00FC 8: STRING = 'sambaSID'
0106 47: SET {
0108 45: STRING =
'S-1-5-21-725326080-1709766072-2910717368-1001'
0137 : }
0137 : }
0137 : }
0137 : }
0137 : }
Net::LDAP=HASH(0x84b2b48) received:
30 0C 02 01 03 65 07 0A 01 00 04 00 04 00 __ __ 0....e........
0000 12: SEQUENCE {
0002 1: INTEGER = 3
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x84b2b48) sending:
30 53 02 01 04 63 4E 04 26 63 6E 3D 65 6E 67 72 0S...cN.&cn=engr
2C 6F 75 3D 67 72 6F 75 70 73 2C 64 63 3D 62 6F ,ou=groups,dc=bo
72 6B 68 6F 6C 64 65 72 2C 64 63 3D 63 6F 6D 0A rkholder,dc=com.
01 00 0A 01 02 02 01 00 02 01 00 01 01 00 A0 13 ................
A3 11 04 09 6D 65 6D 62 65 72 55 69 64 04 04 72 ....memberUid..r
6F 6F 74 30 00 __ __ __ __ __ __ __ __ __ __ __ oot0.
0000 83: SEQUENCE {
0002 1: INTEGER = 4
0005 78: [APPLICATION 3] {
0007 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com'
002F 1: ENUM = 0
0032 1: ENUM = 2
0035 1: INTEGER = 0
0038 1: INTEGER = 0
003B 1: BOOLEAN = FALSE
003E 19: [CONTEXT 0] {
0040 17: [CONTEXT 3] {
0042 9: STRING = 'memberUid'
004D 4: STRING = 'root'
0053 : }
0053 : }
0053 0: SEQUENCE {
0055 : }
0055 : }
0055 : }
Net::LDAP=HASH(0x84b2b48) received:
30 0C 02 01 04 65 07 0A 01 00 04 00 04 00 __ __ 0....e........
0000 12: SEQUENCE {
0002 1: INTEGER = 4
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
User root is not in the group engr!
Net::LDAP=HASH(0x84b2b48) sending:
30 05 02 01 05 42 00 __ __ __ __ __ __ __ __ __ 0....B.
0000 5: SEQUENCE {
0002 1: INTEGER = 5
0005 0: [APPLICATION 2]
0007 : }
And the interesting thing is that if I do add root as a member of the group,
net rpc group list works correctly:
oink:/home # net rpc group members engr
Password:
CORP1\pat
CORP1\chuck
CORP1\jeremy
CORP1\jerry
CORP1\paul
CORP1\roger
CORP1\todd
CORP1\root
Take root back out, and I am back to:
oink:/home # net rpc group members engr
Password:
CORP1\root
It looks to me like root needs to be a member of every single group for these
tools to work correctly. That's really bizarre to me. I await the wisdom
of
the Samba Gurus.
Misty
On Tuesday 12 October 2004 17:04, Misty Stanley-Jones
wrote:> I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
> logon.bat, I call a script called ifmember.exe. This script can list out
> the groups a user is a member of. It is reporting that my root user is a
> member of the group 'engr.' I don't know if this is a bug with
> ifmember.exe or if it's an issue in Samba or in LDAP. Here is some
> relevant data:
>
> oink:/etc/smbldap-tools # smbldap-groupshow engr
> dn: cn=engr,ou=groups,dc=borkholder,dc=com
> cn: engr
> gidNumber: 1001
> memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
> objectClass: top,posixGroup,sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
>
> oink:/usr/local/sbin # ./smbldap-usershow root
> dn: cn=root,ou=people,dc=borkholder,dc=com
> objectClass: account,posixAccount,top,sambaSamAccount
> cn: root
> uid: root
> uidNumber: 0
> gidNumber: 0
> loginShell: /bin/bash
> homeDirectory: /root
> displayName: root
> sambaPwdCanChange: 1095966471
> sambaPwdMustChange: 2147483647
> sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
> sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1095966471
> sambaAcctFlags: [U ]
> userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
> sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
>
> oink:/usr/local/sbin # net groupmap list
> acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
> truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
> hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
> furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
> dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
> Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain
> Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) ->
> Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514)
> -> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) ->
> Workgroup Computers
> Administrators (S-1-5-32-544) -> Administrators
> acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
> receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) ->
> receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) ->
engr
>
> Is there anywhere else I can look to see why this command thinks I'm a
> member of the engr group? I'm using nss_ldap on the server for
> authentication as well.
>
> Misty
The trick is in you picking SID by yourself. :o) sambaPrimaryGroupSID: should always be either explicit mapping of gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber * 2) + 'rid base' + 1. Your problem is that you have inconsistency in you root's setup. As a result its primary group 0 gets mapped into RID 1001 which corresponds to engr. You can do one of the following: 1. change gidNumber of the cn=root to that of the 'Domain Admins' or 2. change the name of gid=0 to be 'Domain Admins' or 3. change mapping 'Domain Admins -> root' I would also recommend to use arithmetic gidNumber -> SID mapping unless you are mapping predefined Windows RIDs. Hope it helps, Igor Misty Stanley-Jones wrote:> I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my > logon.bat, I call a script called ifmember.exe. This script can list out the > groups a user is a member of. It is reporting that my root user is a member > of the group 'engr.' I don't know if this is a bug with ifmember.exe or if > it's an issue in Samba or in LDAP. Here is some relevant data: > > oink:/etc/smbldap-tools # smbldap-groupshow engr > dn: cn=engr,ou=groups,dc=borkholder,dc=com > cn: engr > gidNumber: 1001 > memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb > objectClass: top,posixGroup,sambaGroupMapping > sambaGroupType: 2 > sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001 > > oink:/usr/local/sbin # ./smbldap-usershow root > dn: cn=root,ou=people,dc=borkholder,dc=com > objectClass: account,posixAccount,top,sambaSamAccount > cn: root > uid: root > uidNumber: 0 > gidNumber: 0 > loginShell: /bin/bash > homeDirectory: /root > displayName: root > sambaPwdCanChange: 1095966471 > sambaPwdMustChange: 2147483647 > sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE > sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678 > sambaPasswordHistory: > 0000000000000000000000000000000000000000000000000000000000000000 > sambaPwdLastSet: 1095966471 > sambaAcctFlags: [U ] > userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2 > sambaSID: S-1-5-21-725326080-1709766072-2910717368-500 > sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512 > > oink:/usr/local/sbin # net groupmap list > acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin > truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss > hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr > furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture > dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch > Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins > Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users > Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests > Print Operators (S-1-5-32-550) -> Print Operators > Backup Operators (S-1-5-32-551) -> Backup Operators > Replicators (S-1-5-32-552) -> Replicators > Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> > Workgroup Computers > Administrators (S-1-5-32-544) -> Administrators > acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct > receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist > engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr > > Is there anywhere else I can look to see why this command thinks I'm a member > of the engr group? I'm using nss_ldap on the server for authentication as > well. > > Misty >
Ok, the logic goes like this... If you want to use root for Domain administration purposes it has to be in the Domain user database. If it's a Domain user its primary group should be a Domain group. All Domain groups in Samba are mappings from UNIX groups into SIDs. If mapping for a particular gid is not present it will be created automatically using arithmetic approach. Therefore, if you want your root user to keep its primary gid but to be associated with a Domain group 'Domain Admins' the best approach will be to map this Domain group into UNIX group 'root' instead of creating additional UNIX group 'Domain Admins'. Another approach will be to use some other user to administer your Domain and put it into 'admin users' list in smb.conf then you will be free to choose any primary group for it you like just keep the consistency between gidNumber and sambaPrimaryGroupSID. All users in the 'admin users' list are forced into been root when they access Samba so you will have the same control you would have with root. I don't know why this is not documented... I don't read documentation that often.. I do know though that Samba team welcomes all suggestions to make documentation better. If you know which part of the documentation got you confused - let them know how to make it more clear. Hope it helps, Igor Misty Stanley-Jones wrote:>This doesn't make sense. My root user needs to be gid=0 for all of my UNIX >systems that I have auth'ing against the DB. Will it resolve this if I make >the primaryGroupSID of root to be the one of Domain Admins? This isn't >documented anywhere that I can tell. Thank you for your help, by the way. > >On Saturday 16 October 2004 06:16 pm, you wrote: > > >>The trick is in you picking SID by yourself. :o) >> >>sambaPrimaryGroupSID: should always be either explicit mapping of >>gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber * >>2) + 'rid base' + 1. Your problem is that you have inconsistency in you >>root's setup. As a result its primary group 0 gets mapped into RID 1001 >>which corresponds to engr. >> >>You can do one of the following: >>1. change gidNumber of the cn=root to that of the 'Domain Admins' or >>2. change the name of gid=0 to be 'Domain Admins' or >>3. change mapping 'Domain Admins -> root' >> >>I would also recommend to use arithmetic gidNumber -> SID mapping unless >>you are mapping predefined Windows RIDs. >> >>Hope it helps, >>Igor >> >>Misty Stanley-Jones wrote: >> >> >>>I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my >>>logon.bat, I call a script called ifmember.exe. This script can list out >>>the groups a user is a member of. It is reporting that my root user is a >>>member of the group 'engr.' I don't know if this is a bug with >>>ifmember.exe or if it's an issue in Samba or in LDAP. Here is some >>>relevant data: >>> >>>oink:/etc/smbldap-tools # smbldap-groupshow engr >>>dn: cn=engr,ou=groups,dc=borkholder,dc=com >>>cn: engr >>>gidNumber: 1001 >>>memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb >>>objectClass: top,posixGroup,sambaGroupMapping >>>sambaGroupType: 2 >>>sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001 >>> >>>oink:/usr/local/sbin # ./smbldap-usershow root >>>dn: cn=root,ou=people,dc=borkholder,dc=com >>>objectClass: account,posixAccount,top,sambaSamAccount >>>cn: root >>>uid: root >>>uidNumber: 0 >>>gidNumber: 0 >>>loginShell: /bin/bash >>>homeDirectory: /root >>>displayName: root >>>sambaPwdCanChange: 1095966471 >>>sambaPwdMustChange: 2147483647 >>>sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE >>>sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678 >>>sambaPasswordHistory: >>>0000000000000000000000000000000000000000000000000000000000000000 >>>sambaPwdLastSet: 1095966471 >>>sambaAcctFlags: [U ] >>>userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2 >>>sambaSID: S-1-5-21-725326080-1709766072-2910717368-500 >>>sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512 >>> >>>oink:/usr/local/sbin # net groupmap list >>>acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin >>>truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss >>>hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr >>>furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture >>>dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch >>>Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain >>>Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> >>>Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) >>>-> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators >>>Backup Operators (S-1-5-32-551) -> Backup Operators >>>Replicators (S-1-5-32-552) -> Replicators >>>Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> >>>Workgroup Computers >>>Administrators (S-1-5-32-544) -> Administrators >>>acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct >>>receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> >>>receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr >>> >>>Is there anywhere else I can look to see why this command thinks I'm a >>>member of the engr group? I'm using nss_ldap on the server for >>>authentication as well. >>> >>>Misty >>> >>> > > >