samba - Jan 2008 - Idmap creates unnecessary group entry

Hy Samba users,

I've got a problem with an samba/ldap setup. As I set an ACL to a domain
group in an windows client, a group mapping entry will be created in the
Idmap ou at the ldap server.

I discoverd the OpenLDAP logfiles. There, the server sends a search
request for the domain group sid to the ldap backend will retreive an
entry back:

  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH
  base="ou=Groups,dc=lw-systems,dc=net" scope=2 deref=0
 
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-4205727931-4131263253-1851132061-3019))"

  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH attr=gidNumber
  sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SEARCH RESULT tag=101
  err=0 nentries=1 text
The samba log files shows, that no entry was found.


  [2008/01/15 20:19:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3

  [2008/01/15 20:19:25, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1570)
    ldapsam_getsampwsid: Unable to locate SID
  [S-1-5-21-4205727931-4131263253-1851132061-3019] count=0

  [2008/01/15 20:19:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2200)
    init_group_from_ldap: Entry found for group: 1009

  [2008/01/15 20:19:25, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2


I guess, the Idmap entry will be created, since the samba server supposes,
no group SID will be available at the backend.

Do anyone has any ideas about this behavior?

Maybe its my misunderstanding of the idmapping in samba...



Best regards,
Martin Werthmoeller

-- 
LWsystems - IT-Service and Consulting
mw@lw-systems.de * http://www.lw-systems.de

Am Tue, 15 Jan 2008 um 21:00 GMT +0100 schrieb Martin Werthm?ller:

I've checked some different system configurations.

As I switched the paramter

      winbind use default domain

to yes, an idmap entry will created, too. But now the gidNumber and
sambaSID values match the values of the alredy defined group. This is the
correct behavior for unix and windows users.

The man page entry for this parameter is a little bit misleading, IMHO.


But I don't understand the reason for creating this entry. The group was
alredy defined at the passdb backend (LDAP) with correct sambaSID and
gidNumber. Can anbody explain this behavior?



Best regards,
Martin Werthmoeller

-- 
LWsystems - IT-Service and Consulting
mw@lw-systems.de * http://www.lw-systems.de