Hi all, after updating my pdc from 3.0.14a to 3.0.20 the groupmap function does not work properly. net groupmap list: returns the same groupmapping on both samba versions. Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root Print Operators (S-1-5-32-550) -> oper cvs (S-1-5-21-xxx-yyy-zzz-1219) -> cvs cad (S-1-5-21-xxx-yyy-zzz-1211) -> cad www (S-1-5-21-xxx-yyy-zzz-1213) -> www Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users testgr (S-1-5-21-xxx-yyy-zzz-2011) -> testgr ... On 3.0.20 net rpc group list: returns the unix groupnames instead of the mapped groupnames nt nobody root oper cvs cad www users testgr ... net group /domain (cmd.exe on xp and w2k): returns the unix groupnames instead of the mapped groupnames usrmgr.exe: returns the unix groupnames instead of the mapped groupnames with following effect: - Editing of groups root and users (Domain Admins and Domain Users) is not possible (Error: the groupname can not be found) - Reassigning the primary group Domain Users in the group membership dialog is not possible, because the group is not shown acl file dialog on windows (xp and w2k): returns the unix groupnames instead of the mapped groupnames with the following effect: - Assigning rights to the groups root and users has no effect - Maunally typing in "Domain Users" and "Domain Admins" assigns the rights properly. My environment: - Ldap master on RH8.0 (openldap 2.1.29) - Ldap slave on FC3 (openldap 2.2.13) - PDC on RH8.0 (kernel 2.4.29, samba 3.0.20 (rpmbuild from fedora src rpm from samba.org), nss_ldap-207) I got the same results on a second system: - PDC on FC4 (kernel 2.6.12-1.1398_FC4smp, samba 3.0.20 (build from source from samba.org), openldap-client 2.2.23, nss_ldap-234) After downgrading to 3.0.14a, the groupmapping is ok. Any ideas? Regards Carsten -- .
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carsten Sander wrote: | Hi all, | | after updating my pdc from 3.0.14a to 3.0.20 the | groupmap function does not work properly. | | net groupmap list: | returns the same groupmapping on both samba versions. | | Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt | Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody ... | | On 3.0.20 | | net rpc group list: | returns the unix groupnames instead of the mapped groupnames | | nt | nobody | root ... grr....sorry. Our bug. The one line fix is at http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDLk4IR7qMdg1EfYRAqw5AKCYxO6+y7R3p29b9vobsdctf1nmRACg4j8A OT8QX9C+T2a1AMwo8gVnzVM=nnh4 -----END PGP SIGNATURE-----
Gerald (Jerry) Carter schrieb:> > Carsten Sander wrote: > | Hi all, > | > | after updating my pdc from 3.0.14a to 3.0.20 the > | groupmap function does not work properly. > | > | net groupmap list: > | returns the same groupmapping on both samba versions. > | > | Domain Computers (S-1-5-21-xxx-yyy-zzz-515) -> nt > | Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nobody > ... > | > | On 3.0.20 > | > | net rpc group list: > | returns the unix groupnames instead of the mapped groupnames > | > | nt > | nobody > | root > ... > > grr....sorry. Our bug. The one line fix is at > http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch >Applied the patch. Groupnames are listed correctly now. Thanks Carsten -- .
Carsten Sander schrieb:> On 3.0.20 > net rpc group list: > returns the unix groupnames instead of the mapped groupnamesCannot reproduce this with 3.0.20 (unpatched): vmeis # net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nogroup Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users Domain Power Users (S-1-5-21-xxx-yyy-zzz-1007) -> sys Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 vmeis # net rpc group list Password: Domain Admins Domain Guests Domain Users Domain Power Users vmeis # 3.0.20 patched with http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch : vmeis # net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-xxx-yyy-zzz-512) -> root Domain Guests (S-1-5-21-xxx-yyy-zzz-514) -> nogroup Domain Users (S-1-5-21-xxx-yyy-zzz-513) -> users Domain Power Users (S-1-5-21-xxx-yyy-zzz-1007) -> sys Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 vmeis # net rpc group list Password: <=== no output <=== no output <=== no output <=== no output vmeis # der tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Bork wrote:> Carsten Sander schrieb: > >> On 3.0.20 >> net rpc group list: >> returns the unix groupnames instead of the mapped groupnames > > Cannot reproduce this with 3.0.20 (unpatched):It was pretty easy to reproduce for me. Are you using ldapsam?> vmeis # net groupmap list > System Operators (S-1-5-32-549) -> -1...> vmeis # net rpc group list > Password: > Domain Admins > Domain Guests > Domain Users > Domain Power Users > vmeis # > > > 3.0.20 patched with > http://www.samba.org/~jerry/patches/post-3.0.20/groupname_enumeration.patch: > > vmeis # net groupmap list > System Operators (S-1-5-32-549) -> -1....> vmeis # net rpc group list > Password: > <=== no output > <=== no output > <=== no output > <=== no output > vmeis #There were actually 2 bugs. One that I found after the first revision of that patch. I started a "recent releases patch page" yesterday. Take a look at http://www.samba.org/samba/patches/ v2 of the group enumeration patch is available from there. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDy1FIR7qMdg1EfYRApz2AKCunJphiopFI+T1jLCiXAx5VRKzqwCg2suh JLYOkWwDy3zioO9hyv/TJoI=Mp/c -----END PGP SIGNATURE-----