Steven Enderle
2010-May-18 10:47 UTC
[Samba] net sam/samba ldap: Failed to add user 'xxx' with error: Group already exists.
Hello, we are trying to set up Samba with LDAP Backend. Using the Samba toolchain to add our existing users/groups, the net command seems to get confused about what users and groups are, if both have the same name and are used in the same context. Here is what I tried: ==commandline=-> Create the Domain Group # net sam createdomaingroup duplicate -U Administrator%pwd Created domain group duplicate with RID 1172 -> Create the User # net rpc user add duplicate -U Administrator%pwd Failed to add user 'duplicate' with error: Group already exists. Other way around, adding first user then group, similar result: -> Create the User # net rpc user add duplicate2 -U Administrator%pwd Added user 'duplicate2'. -> Create the Domain Group # net sam createdomaingroup duplicate2 -U Administrator%pwd Created domain group duplicate2 with RID 1174 -> Add new User to Group # net sam addmem duplicate2 duplicate2 -U Administrator%pwd Can only add members to local groups so far, duplicate2 is a User ==commandline= Samba seems to fail at differentiating groups and users of same name. 1) Is there a way to tell samba/net to add the user duplicate to group duplicate? 2) Is there a dirty workaround that will get us running anyway? 3) What is the background that causes this problem? Is there something I am missing? Thanks for your help in advance. samba version: 3.5.2-SerNet-Debian smb.conf used: [global] server string = QNAP NAS announce version = 5.1 workgroup = <hidden> password server = localhost disable netbios = yes wins support = no smb ports = 445 domain logons = no domain master = no local master = no preferred master = no template homedir = /home/%U template shell = /bin/bash os level = 65 winbind use default domain = yes log level = 3 max log size = 2000 debug timestamp = yes interfaces = lo eth0 bind interfaces only = true hostname lookups = yes log file = /var/log/samba/smbd.%m passdb backend = ldapsam:ldap://localhost encrypt passwords = yes ldapsam:trusted = yes ldapsam:editposix = yes ldap admin dn = <hidden> ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = <hidden> ldap delete dn = Yes ldap ssl = Off idmap config <hidden>:default = yes idmap config <hidden>:backend = ldap idmap config <hidden>:ldap_base_dn = ou=idmap,<hidden> idmap config <hidden>:ldap_user_dn = <hidden> idmap config ER.EMPIC.DE:ldap_url = ldap://localhost idmap config ER.EMPIC.DE:range = 10000 - 500000 idmap alloc backend = ldap idmap alloc config : ldap_base_dn = ou=idmap,<hidden> idmap alloc config : ldap_user_dn = <hidden> idmap alloc config : ldap_url = ldap://localhost idmap uid = 10000 - 500000 idmap gid = 10000 - 500000 [empic] comment = My Share path = /export browseable = yes public = yes writable = yes printable = no create mask = 0765 EMPIC-EAP - *The* Standard Software for Aviation Authorities ********************************************************************************************** IMPORTANT NOTICE / WICHTIGER HINWEIS This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error please notify us immediately by email or by telephone and then delete this email and any copies of it. Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet. **********************************************************************************************
John H Terpstra
2010-May-18 13:58 UTC
[Samba] net sam/samba ldap: Failed to add user 'xxx' with error: Group already exists.
On 05/18/2010 05:47 AM, Steven Enderle wrote:> Hello, > > we are trying to set up Samba with LDAP Backend. Using the Samba > toolchain to add our existing users/groups, the net command seems to get > confused about what users and groups are, if both have the same name and > are used in the same context. > > Here is what I tried: > > ==commandline=> -> Create the Domain Group > # net sam createdomaingroup duplicate -U Administrator%pwd > Created domain group duplicate with RID 1172 > > -> Create the User > # net rpc user add duplicate -U Administrator%pwd > Failed to add user 'duplicate' with error: Group already exists. > > Other way around, adding first user then group, similar result: > > -> Create the User > # net rpc user add duplicate2 -U Administrator%pwd > Added user 'duplicate2'. > > -> Create the Domain Group > # net sam createdomaingroup duplicate2 -U Administrator%pwd > Created domain group duplicate2 with RID 1174 > > -> Add new User to Group > # net sam addmem duplicate2 duplicate2 -U Administrator%pwd > Can only add members to local groups so far, duplicate2 is a User > ==commandline=> > Samba seems to fail at differentiating groups and users of same name. > > 1) Is there a way to tell samba/net to add the user duplicate to group > duplicate?The MS Windows environment does not allow creation of a user account and a group account with the same name. In order to be able to resolve user and group names it is essential to avoid any ambiguity in resolution of user and group names.> 2) Is there a dirty workaround that will get us running anyway?Sure, Don't do it. If you currently have user groups, convert them.> 3) What is the background that causes this problem? Is there something I > am missing?Make sure your user names and group names are all unique. - John T.> Thanks for your help in advance. > > samba version: 3.5.2-SerNet-Debian > smb.conf used: > > [global] > server string = QNAP NAS > announce version = 5.1 > workgroup = <hidden> > password server = localhost > disable netbios = yes > wins support = no > smb ports = 445 > domain logons = no > domain master = no > local master = no > preferred master = no > template homedir = /home/%U > template shell = /bin/bash > os level = 65 > winbind use default domain = yes > log level = 3 > max log size = 2000 > debug timestamp = yes > interfaces = lo eth0 > bind interfaces only = true > hostname lookups = yes > log file = /var/log/samba/smbd.%m > passdb backend = ldapsam:ldap://localhost > encrypt passwords = yes > ldapsam:trusted = yes > ldapsam:editposix = yes > ldap admin dn = <hidden> > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=computers > ldap passwd sync = Yes > ldap suffix = <hidden> > ldap delete dn = Yes > ldap ssl = Off > idmap config <hidden>:default = yes > idmap config <hidden>:backend = ldap > idmap config <hidden>:ldap_base_dn = ou=idmap,<hidden> > idmap config <hidden>:ldap_user_dn = <hidden> > idmap config ER.EMPIC.DE:ldap_url = ldap://localhost > idmap config ER.EMPIC.DE:range = 10000 - 500000 > idmap alloc backend = ldap > idmap alloc config : ldap_base_dn = ou=idmap,<hidden> > idmap alloc config : ldap_user_dn = <hidden> > idmap alloc config : ldap_url = ldap://localhost > idmap uid = 10000 - 500000 > idmap gid = 10000 - 500000 > [empic] > comment = My Share > path = /export > browseable = yes > public = yes > writable = yes > printable = no > create mask = 0765 > EMPIC-EAP - *The* Standard Software for Aviation Authorities > ********************************************************************************************** > > > IMPORTANT NOTICE / WICHTIGER HINWEIS > This communication contains information which is confidential and may also be privileged. It is for the > exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any > distribution, copying or use of this communication or the information in it is strictly prohibited. If you have > received this communication in error please notify us immediately by email or by telephone and then delete > this email and any copies of it. > Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht > der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser > Mail sind nicht gestattet. > > > ********************************************************************************************** >