Mark Sheard
2010-Jun-30 06:30 UTC
[Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Good Morning to all,
Sorry if this is spam to some of you, not sure if this
is more technical or not...
Considering i have been fighting for a week now on this trying all
possible checks and configs out there on the net, i thought i better
come to the experts. ;o)
My last resort is to upgrade to latest samba ver which might help but i
think the bug was not fixed in this version not sure.. :o\
I have Ubuntu version 10.04
Samba ver "3.0.28a-1ubuntu4.12"
Here is the Bug/problem:
I am unable to list Domain "Local Groups" but Domain "Global
Groups"
are fine in winbind. I would like to know winbind is working with
"Local Groups" first before configuring apache to authenticate to a
local
group and the rest...
I have configured a Samba Member server (Nagios) to talk to a NT Domain PDC.
Here is my Samba cfg.
root at wfmmon-GBL:/downloads# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = NAMEOFDOMAIN
server string = %h server (Samba, Ubuntu)
security = DOMAIN
map to guest = Bad User
obey pam restrictions = Yes
password server = PDCSVR BDCSVR2 BDCSVR3_CF BDCSVR4 BDCSVR5_cf
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = lmhosts host wins bcast
unix extensions = No
printcap name = cups
disable spoolss = Yes
preferred master = No
local master = No
domain master = No
wins server = 192.168.0.0.1 #( not the real ip)
usershare allow guests = Yes
usershare max shares = 10
panic action = /usr/share/samba/panic-action %d
idmap uid = 1000-200000
idmap gid = 1000-200000
template shell = /bin/bash
winbind separator = +
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
invalid users = root
wide links = No
root at wfmmon-GBL:/downloads#
Domain Local group NAGMONGBL
Domain Global group Domain Users
Example:
I am able to do
****
root at wfmmon-GBL:/downloads# wbinfo --group-info="Domain Users"
domain users:x:10004
root at wfmmon-GBL:/downloads#
****
But NOT
****
root at wfmmon-GBL:/downloads# wbinfo --group-info="NAGMONGBL"
Could not get info for group NAGMONGBL
root at wfmmon-GBL:/downloads#
****
Checking error logs reveals
****
root at wfmmon-GBL:/downloads# tail -25 /var/log/samba/log.winbindd
[2010/06/30 07:15:55, 1] nsswitch/winbindd_group.c:fill_grent_mem(365)
could not lookup membership for group sid "SIDNUMBER" in domain
NAMEOFDOMAIN (error: NT_STATUS_NO_SUCH_GROUP)
****
I am able to resolve the sid to name
****
root at wfmmon-GBL:/downloads# wbinfo --sid-to-name="SIDNUMBER"
NAMEOFDOMAIN+nagmongbl 4
****
Additional stuff i tried with group mapping i get
the same error as above with (wbinfo --group-info="NAGMONGBL"):
nagmongbl is our local group..
BUILTIN+users is also a local group but works :o\
root at wfmmon-GBL:/downloads# net groupmap list
nagmongbl (S-1-5-21-1420701450-S-I-D-Number) -> nagmonglb
Administrators (S-1-5-32-544) -> BUILTIN+administrators
Users (S-1-5-32-545) -> BUILTIN+users
root at wfmmon-GBL:/downloads# getent group nagmonglb
nagmonglb:x:10770:
root at wfmmon-GBL:/downloads# getent group nagmongbl
root at wfmmon-GBL:/downloads#
root at wfmmon-GBL:/downloads# getent group "BUILTIN+users"
BUILTIN+users:x:10001:administrator,iusr_svr_cf,svr$,svr3$,iwam_svvr_cf,iusr_srv_cf,iwam_svr342_cf,wfmmon-gbl$
root at wfmmon-GBL:/downloads#
If it comes down to Samba version :
Considering Samba upgrades what would be the best approach?
to remove or install over the top of existing installation?
Thanks in advance for any input, help, direction that can
be provided here.
Regards
Mark
Guy Rouillier
2010-Jun-30 21:11 UTC
[Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
On 6/30/2010 2:30 AM, Mark Sheard wrote:> I have Ubuntu version 10.04 > Samba ver "3.0.28a-1ubuntu4.12"I just did a fresh install of 10.04 x86 32-bit, and smbd reports version 3.4.7. How did you end up with 3.0.28? Try "smbd -version" and see what that reports. -- Guy Rouillier
Mark Sheard
2010-Jul-06 06:45 UTC
[Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Hi Gary, Sorry for the late response just looking through my spams folder and my eye caught this one, phew... I since then have tweaked my yahoo mail settings and all Samba contents is going to a specified Samba folder... Anyhow Back to your question: I installed ubuntu 10.04 and if i remember i did the "Apt-get install samba" which brought this version down... root at wfmmon-GBL:~# smbd -version root at wfmmon-GBL:~# smbd root at wfmmon-GBL:~# smbd --version Version 3.0.28a root at wfmmon-GBL:~# mmm i did change my "/etc/apt/sources.list" to a local server here in Hungary, because of my impatience... But i have set it back to default and currently waiting for "apt-get update" to finish.. Seems we might be onto something here. :o) I will let you know , and Thanks for your response! Regards M. --- On Thu, 1/7/10, Guy Rouillier <guyr-ml1 at burntmail.com> wrote:> From: Guy Rouillier <guyr-ml1 at burntmail.com> > Subject: Re: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC) > To: samba at lists.samba.org > Date: Thursday, 1 July, 2010, 0:11 > On 6/30/2010 2:30 AM, Mark Sheard > wrote: > > I have Ubuntu version 10.04 > > Samba ver? "3.0.28a-1ubuntu4.12" > > I just did a fresh install of 10.04 x86 32-bit, and smbd > reports version 3.4.7.? How did you end up with > 3.0.28?? Try "smbd -version" and see what that > reports. > > -- Guy Rouillier > -- To unsubscribe from this list go to the following URL > and read the > instructions:? https://lists.samba.org/mailman/options/samba >