samba - Dec 2004 - PDC + LDAP group mappings

Alright now that samba can talk to LDAP I have a blank slate.  I know I
need to setup group mappings, but I'm a little confused about this.
Since it's an ldap backend do the groups need to have unix counterparts?
Should I use the net groupmap command to add the mappings or should I
use an LDIF file?

David Sonenberg
Systems / Network Administrator
Stroz Friedberg, LLC
15 Maiden Lane, Suite 1208
New York, NY  10038
212.981.6527 (o)  |  917.495.4918 (c)

> Alright now that samba can talk to LDAP I have a blank slate.  I know I
> need to setup group mappings, but I'm a little confused about this.
> Since it's an ldap backend do the groups need to have unix
counterparts?
Yes, it is group mapping; you must have group to map to.
> Should I use the net groupmap command to add the mappings or should I
> use an LDIF file?
You must use net groupmap unless you want to calculate the SIDs/RIDs
yourself.

So I gave it try but it didn't work.  Here's the output.

net groupmap add ntgroup="Domain Admin" unixgroup=ntadmin -d 4

[2004/12/30 13:12:06, 3] param/loadparm.c:lp_load(3902)
  lp_load: refreshing parameters
[2004/12/30 13:12:06, 3] param/loadparm.c:init_globals(1312)
  Initialising global parameters
[2004/12/30 13:12:06, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2004/12/30 13:12:06, 3] param/loadparm.c:do_section(3395)
  Processing section "[global]"
  doing parameter interfaces = eth0 10.1.0.143/24
  doing parameter workgroup = STROZTEST
  doing parameter netbios name = AUTH
[2004/12/30 13:12:06, 4] param/loadparm.c:handle_netbios_name(2740)
  handle_netbios_name: set global_myname to: AUTH
  doing parameter passdb backend = ldapsam:ldaps://10.1.0.143:636
  doing parameter username map = /etc/samba/smbusers
  doing parameter printcap name = cups
  doing parameter add user script /usr/local/samba/sbin/smbldap-useradd.pl -m
'%u'
  doing parameter delete user script /usr/local/samba/sbin/smbldap-userdel.pl %u
  doing parameter add group script /usr/local/samba/sbin/smbldap-groupadd.pl -p
'%g'
  doing parameter delete group script /usr/local/samba/sbin/smbldap-groupdel.pl
'%g'
  doing parameter add user to group script = /usr/local/samba/sbin/
smbldap-groupmod.pl -m '%g' '%u'
  doing parameter delete user from group script = /usr/local/samba/sbin/
smbldap-groupmod.pl -x '%g' '%u'
  doing parameter set primary group script = /usr/local/samba/sbin/
smbldap-usermod.pl -g '%g' '%u'
  doing parameter add machine script /usr/local/samba/sbin/smbldap-useradd.pl -w
'%u'
  doing parameter domain logons = Yes
  doing parameter os level = 35
  doing parameter preferred master = Yes
  doing parameter domain master = Yes
  doing parameter local master = Yes
  doing parameter ldap suffix = dc=strozllc,dc=com
  doing parameter ldap machine suffix = ou=People
  doing parameter ldap user suffix = ou=People
  doing parameter ldap group suffix = ou=People
  doing parameter ldap idmap suffix = ou=People
  doing parameter ldap admin dn = cn=Manager,dc=strozllc,dc=com
  doing parameter ldap ssl = yes
  doing parameter ldap passwd sync = Yes
  doing parameter idmap uid = 15000-20000
  doing parameter idmap gid = 15000-20000
  doing parameter winbind separator = +
[2004/12/30 13:12:06, 4] param/loadparm.c:lp_load(3933)
  pm_process() returned Yes
[2004/12/30 13:12:06, 3] lib/util.c:interpret_addr(1135)
  sys_gethostbyname: Unknown host. eth0
[2004/12/30 13:12:06, 2] lib/interface.c:interpret_interface(128)
  can't determine netmask for eth0
[2004/12/30 13:12:06, 2] lib/interface.c:add_interface(79)
  added interface ip=10.1.0.143 bcast=10.1.0.255 nmask=255.255.255.0
[2004/12/30 13:12:06, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
  Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=STROZTEST))]
[2004/12/30 13:12:06, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2004/12/30 13:12:06, 3] lib/smbldap.c:smbldap_connect_system(858)
  ldap_connect_system: succesful connection to the LDAP server
[2004/12/30 13:12:06, 4] lib/smbldap.c:smbldap_open(909)
  The LDAP server is succesfully connected
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
  ldapsam_getgroup: Did not find group
[2004/12/30 13:12:06, 2] utils/net.c:main(859)
  return code = -1


David Sonenberg
Systems / Network Administrator
Stroz Friedberg, LLC
15 Maiden Lane, Suite 1208
New York, NY  10038
212.981.6527 (o)  |  917.495.4918 (c)

-----Original Message-----
From: Adam Tauno Williams [mailto:adam@morrison-ind.com] 
Sent: Thursday, December 30, 2004 12:42 PM
To: David Sonenberg
Cc: samba@lists.samba.org
Subject: Re: [Samba] PDC + LDAP group mappings
> Alright now that samba can talk to LDAP I have a blank slate.  I know 
> I need to setup group mappings, but I'm a little confused about this.
> Since it's an ldap backend do the groups need to have unix
counterparts?

Yes, it is group mapping; you must have group to map to.
> Should I use the net groupmap command to add the mappings or should I 
> use an LDIF file?
You must use net groupmap unless you want to calculate the SIDs/RIDs
yourself.

On Thursday 30 December 2004 10:34, David Sonenberg
wrote:
> Alright now that samba can talk to LDAP I have a blank slate.  I know I
> need to setup group mappings, but I'm a little confused about this.
> Since it's an ldap backend do the groups need to have unix
counterparts?
> Should I use the net groupmap command to add the mappings or should I
> use an LDIF file?
David,

This subject comes up on this list ad nauseum! I am responding in full in the 
hope that we can get this sorted out so that others who do their homework 
before asking here will find the answers they need. I have tried to document 
this in the Samba-HOWTO-Collection and in the Samba-Guide ("Samba-3 by 
Example" books).

Suggest you check out chapter 6 of the book, "Samba-4 by Example". You
can
download it from:

http://www.samba.org/samba/docs/Samba-Guide.pdf

If you get lost give me a shout. If the documentation is not clear enough and 
has too much fog-factor, please promise us all that when this becomes clear 
to you you will help to improve the documentation. Feedback, improvement in 
clarifty and corrections are always welcome.

For the record:
========
If you use LDAP with Samba it is essential that ALL your UNIX (POSIX) accounts 
(both for users and for groups) are in the LDAP backend. Samba requires the 
SambaSAM account data also in LDAP. It is NOT possible with Samba to have 
only the SambaSAM account information in LDAP and not the UNIX accounts in 
LDAP.

Additionally, it is essential that all accounts will translate unambiguously 
between Windows credentials and UNIX credentials. This means that any UID 
must translate to exactly one (and one only) MS Windows SID. Every SID must 
translate (map) to precisely one UID or GID. Every GID must map to precisely 
one SID and vica versa.

The "net groupmap" utility provides the connection between a Windows
NT Group
and the UNIX (POSIX) group. What this does is it tells Samba that when a 
Windows user accesses the Samba server that user will be treated by the UNIX 
operating system as if he is accessing UNIX directly as the mapped account. 

For Example: 
A Windows user is called 'billyboy' and is a member of Windows groups
"Domain
Users", "Engineers", and "Goodguys", and his primary
group is "Goodguys".

In your LDAP based POSIX backend the UNIX account is called 'billyboy'
with
UID = 1106. Group mappings are set so that:

	Windows NT Group	==	UNIX group
---------------------------------------------------------------------
	"Domain Users"	->	users (group id = 500)
	"Domain Guests"	->	nobody (group id = 65534)
	"Domain Admins" ->	root (group id = 0)
	"Engineers" 	->	engineers (group id = 1211)
	"Goodguys" 	->	goodguys (group id = 1235)

Then for all UNIX file system access the user 'billyboy' will have the 
following UNIX credentials:
	UID: 1106
	Primary group ID: 1235
	Additional group memberships IDs: 500, 1211

That is the information that should be returned if you execute in a UNIX 
shell: 
	id billyboy

You can manually populate your LDAP database using an LDIF file to set all 
this up, but if you use the Idealx scripts this is all neatly done for you.

I hope that helps to explain the connections.

Cheers,
John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.