Bill Cameron
2006-Dec-22 20:25 UTC
[Samba] Member server - domain shows as "Unix User" on ACLs
Hi, This is the environment: PDC - samba 3.0.14a (Debian Sarge) passdb backend = ldapsam Member server - Win2003 Joined domain and this one works correctly Member server - samba 3.0.23d (Debian Etch) Joined domain and this one displays the domain as "Unix User" or "Unix Group" when looking on the security tab on a WinXP machine that has logged into the domain and is accessing a share on the member server. A linux client using smbcacls also shows the domain as "Unix User"/"Unix Group". Authentication works fine and I can access shares on the samba member server. If I add 'hide unreadable = yes' to the [Data] share then I am no longer able to see any files or directories on the share and I can't access a directory I have access to. NSS/PAM are configured and are working correctly. No user accounts are created locally on the member server. Winbind - Winbind isn't running on the PDC. I've tried it without winbindd on the member server, winbindd running as 'netlogon proxy only' on the member server and full winbindd with it creating idmap entries in ldap. The Win2003 server works fine without the idmap entries in ldap so I'm assuming samba should be able to work without idmap entries and winbinnd running as 'netlogon proxy only' on the member server. wbinfo -t (-u & -g) all work correctly displaying the domain users and groups on the member server. 'Samba-3 by Example' in the 'Adding Domain Member Servers and Clients' chapter makes it sound like you don't need to use winbindd since the information is in ldap and we aren't using any foreign domains. Samba release notes for 3.0.23b say: "If the member server is not running winbindd at all, domain accounts will be implicitly mapped to local accounts and their tokens will be modified appropriately to reflect the local SID and group membership." which seems to indicate I need winbindd. Questions: 1. Do I need winbindd? 2. If I do need winbindd is 'netlogon proxy only' enough? Remember - the Win2003 member server is working fine without any idmap entries in ldap. 3. How do I get the users to be seen as Domain users and not as local unix users? smb.conf on the member server: [global] unix charset = LOCALE workgroup = MYDOMAIN server string = %h security = DOMAIN log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = wins host bcast wins server = 172.16.1.8 ldap admin dn = cn=samba,ou=dsa,dc=domain,dc=ca ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap suffix = dc=domain, dc=ca ldap user suffix = ou=people panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://main.domain.ca [Data] comment = Data share path = /srv read only = No create mask = 0660 directory mask = 02770 Some log entries: log.wb-mydomain - seen when winbindd is first started [2006/12/22 10:38:33, 2] libsmb/namequery.c:name_query(577) Got a positive name query response from 172.16.1.8 ( 172.16.1.8 ) [2006/12/22 10:38:33, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine PDC pipe \lsarpc fnum 0x749e! log.computername - seen when a client computer connects to the share on the member server. [2006/12/22 10:39:47, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [user1] -> [user1] -> [user1] succeeded [2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_administrators(785) create_builtin_administrators: Failed to create Administrators [2006/12/22 10:39:47, 2] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_users(751) create_builtin_users: Failed to create Users . . . [2006/12/22 10:39:48, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2006/12/22 10:39:48, 1] smbd/service.c:make_connection_snum(950) computername (172.16.1.174) connect to service Data initially as user user1 (uid=2001, gid=2001) (pid 8649) Thanks, Bill