samba - Aug 2006 - Samba 2 PDC upgrade to Samba 3 - group mapping problem

I'm in the process of replacing a Samba 2.2.12 PDC with Samba
3.0.14a-Debian. An LDAP database serves as the user data store, and I've
made no changes to the Samba 2.2.x-compatible LDAP records. Since I don't
relish LDAP schema changes, I've specified ldapsam_compat as my passdb
backend; I figured that since I was already running a compatible LDAP schema,
there was no need to make use of the updated, Samba3-compatible LDAP schemas.
However, I'm starting to doubt that assumption, because every time I try to
list group mappings or assign security rights, I get the following search in my
LDAP log:

filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))"
attrs="gidNumber sambasid sambagrouptype sambasidlist description
displayName cn objectClass"

[My already-defined group "Domain Admins" has GID 1000]

Since sambaGroupMapping is part of the updated Samba LDAP schema, I suppose
I'll have to make those schemas available; or do I have my ldapsam_compat
configuration wrong? Again, I would have thought that specifying ldapsam_compat
would have meant maintaining operational capability with a working Samba
2.2.x+LDAP installation, but apparently I was wrong...?

On a possibly-related note, does anyone know where I could find SunOne
DS-compatible Samba schemas? The latest version I've been able to find was
listed compatible with Samba <= 3.0.10.

TIA,
Ryan

relevant smb.conf:

[global]
workgroup = DOMAIN
netbios name = DOMAIN-PDC
server string = Samba 3 PDC
encrypt passwords = Yes
passwd program = <REDACTED>
passwd chat debug = No
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
; remember to lower the log level in real life :-)
log level = 3
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 255
preferred master = True
domain master = True
dns proxy = No
wins support = Yes
preexec = sh -c 'echo Welcome to XXXX domain | /usr/bin/smbclient -M
"%m" -I "%i" ' &
passdb backend = ldapsam_compat:"ldap://ldapserver.domain.com"
ldap suffix = o=example.com
ldap admin dn = cn=LDAP Manager
ldap timeout = 60
add user script = /usr/sbin/smbldap-useradd -w %u >/tmp/smbldap-useradd-user
2>&1
add machine script = /usr/sbin/smbldap-useradd -w %u
>/tmp/smbldap-useradd-machine 2>&1
-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2006 02:56 PM, ryan punt escreveu:
> I'm in the process of replacing a Samba 2.2.12 PDC with 
> Samba 3.0.14a-Debian. An LDAP database serves as the
> user data store, and I've made no changes to the Samba
> 2.2.x-compatible LDAP records. Since I don't relish
> LDAP schema changes, I've specified ldapsam_compat as
> my passdb backend; I figured that since I was already
> running a compatible LDAP schema, there was no need to
> make use of the updated, Samba3-compatible LDAP schemas.
	AFAIK Samba2.2 does not offer a complete support
to group mapping in the same way Samba3 does it.

> However, I'm starting to doubt that assumption, because 
> every time I try to list group mappings or assign
> security rights, I get the following search in my LDAP
> log:
> 
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))" 
> attrs="gidNumber sambasid sambagrouptype sambasidlist
> description displayName cn objectClass"
	Yes, but I believe you can change that search
in your smb.conf.

	Anyway, did you saw that [1]thread back in December
2003 in the samba list, I hope the ideas over there can help
you.

> [My already-defined group "Domain Admins" has GID 1000]
> Since sambaGroupMapping is part of the updated Samba LDAP 
> schema, I suppose I'll have to make those schemas
> available; or do I have my ldapsam_compat configuration
> wrong? Again, I would have thought that specifying
> ldapsam_compat would have meant maintaining operational
> capability with a working Samba 2.2.x+LDAP installation,
> but apparently I was wrong...?
	ldapsam_compat should work just fine, althought
I do not use it for a long time I remember it work
perfectly (but I didn't use group maps at that time).

> On a possibly-related note, does anyone know where I 
> could find SunOne DS-compatible Samba schemas? The
> latest version I've been able to find was listed
> compatible with Samba <= 3.0.10.
	Sorry, can't help on that one. :-(

> TIA,
> Ryan
> 
> relevant smb.conf:
[...]

	Hope this helps. Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFE+FbxCj65ZxU4gPQRAvhSAJ4056amR76wwAIIGH+wQ2gA0zOJnwCffbas
zgla69fJDRcO55EZVCkqJkA=SqDA
-----END PGP SIGNATURE-----

>>> felipe@paranacidade.org.br 9/1/2006 10:51:13 AM >>>
> ldapsam_compat should work just fine, althought I do not use it for a long
time
> I remember it work perfectly (but I didn't use group maps at that
time).
Then my question is this: is Samba 3, using ldapsam_compat for the passdb
backend, a drop-in replacement for 2.2.x using LDAP? More specifically, if
I've got a 2.2.x+LDAP installation up and running now, will I have to make
any LDAP changes to make everything work? Should I be focusing on my smb.conf
and leaving my back-end directory alone, or are some LDAP changes simply
inevitable?

The documentation I've read would make it seem that 3.x + ldapsam_compat
makes a great drop-in replacement, but I haven't found that to be the case
in practice.

Thanks,
Ryan
-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------