samba - Jan 2011 - Samba File Server as Domain Member of Samba PDC

Hi

We have configured 2 PDC Samba (v3.0.33, sambapdc1 and sambapdc2)
servers using LDAP (389 DS v1.2.5) as its database backend. If I run
"net rpc user -UXXXX" from theses servers I get all groups in LDAP.
These servers are working fine for a long time.

Now I have configured a file server (not logon server, sambafs1), as a
member of the domain served by those servers (this with v3.3.8). I
have configured the LDAP client, so I can do "getent passwd" and
"getent group" and I see all objects from LDAP. Next, I have
configured Samba with this conf:

[global]
unix charset = LOCALE
workgroup = XXXXX.YYYYY
server string = Samba FS XXXXX.YYYYY - ZZZZZZZZZ

security = domain
encrypt passwords = yes
password server = sambapdc1 sambapdc2
wins server = sambapdc1 sambapdc2

syslog = 0
log level = 2
#log level = 20
log file = /var/log/samba/%m.trace
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Opciones de gesti?n de recursos compartidos
add share command    = /bin/bash /opt/ldap/samba/smb_share_add.sh
change share command = /bin/bash /opt/ldap/samba/smb_share_add.sh
delete share command = /bin/bash /opt/ldap/samba/smb_share_del.sh

map acl inherit = Yes

Next, I have joined the Samba FS in the domain, using the command "net
rpc join -UXXXXXX", without any errors. Now, If I run "net rpc group
-S sambafs1 -UXXXXX", I get no groups. Is this normal? As Samba can't
see any groups, I cannot assign privileges using "net rpc rights
grant", so users can manage shares from Windows using the add, change
and delete share commands.

Thanks in advance. Regards,

Hi,
what about wins server= server1 server2.
I did not know this is working!?
What about the ldap-server settings in your member servers smb.conf?:

ldap admin dn=cn=xxxx,dc=xxxxx,dc=xxxx
        ldap suffix= dc=xxxx,dc=xxxxx
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        idmap backend=ldap:ldap://xxxxxxxxxxxxx<-- your passwordserver
        idmap uid=15000-20000
        idmap gid=15000-20000

-----------------------------------------------
EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im Auftrag von Juan Asensio S?nchez
Gesendet: Freitag, 28. Januar 2011 08:55
An: samba at lists.samba.org
Betreff: [Samba] Samba File Server as Domain Member of Samba PDC

Hi

We have configured 2 PDC Samba (v3.0.33, sambapdc1 and sambapdc2)
servers using LDAP (389 DS v1.2.5) as its database backend. If I run
"net rpc user -UXXXX" from theses servers I get all groups in LDAP.
These servers are working fine for a long time.

Now I have configured a file server (not logon server, sambafs1), as a
member of the domain served by those servers (this with v3.3.8). I
have configured the LDAP client, so I can do "getent passwd" and
"getent group" and I see all objects from LDAP. Next, I have
configured Samba with this conf:

[global]
unix charset = LOCALE
workgroup = XXXXX.YYYYY
server string = Samba FS XXXXX.YYYYY - ZZZZZZZZZ

security = domain
encrypt passwords = yes
password server = sambapdc1 sambapdc2
wins server = sambapdc1 sambapdc2

syslog = 0
log level = 2
#log level = 20
log file = /var/log/samba/%m.trace
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Opciones de gesti?n de recursos compartidos
add share command    = /bin/bash /opt/ldap/samba/smb_share_add.sh
change share command = /bin/bash /opt/ldap/samba/smb_share_add.sh
delete share command = /bin/bash /opt/ldap/samba/smb_share_del.sh

map acl inherit = Yes

Next, I have joined the Samba FS in the domain, using the command "net
rpc join -UXXXXXX", without any errors. Now, If I run "net rpc group
-S sambafs1 -UXXXXX", I get no groups. Is this normal? As Samba can't
see any groups, I cannot assign privileges using "net rpc rights
grant", so users can manage shares from Windows using the add, change
and delete share commands.

Thanks in advance. Regards,
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

2011/1/28 Juan Asensio S?nchez <okelet at
gmail.com>:
> We have configured 2 PDC Samba (v3.0.33, sambapdc1 and sambapdc2)
> servers using LDAP (389 DS v1.2.5) as its database backend. If I run
> "net rpc user -UXXXX" from theses servers I get all groups in
LDAP.
> These servers are working fine for a long time.
>
> Now I have configured a file server (not logon server, sambafs1), as a
> member of the domain served by those servers (this with v3.3.8). I
> have configured the LDAP client, so I can do "getent passwd" and
> "getent group" and I see all objects from LDAP. Next, I have
> configured Samba with this conf:
(snip)
> Next, I have joined the Samba FS in the domain, using the command "net
> rpc join -UXXXXXX", without any errors. Now, If I run "net rpc
group
> -S sambafs1 -UXXXXX", I get no groups. Is this normal? As Samba
can't
> see any groups, I cannot assign privileges using "net rpc rights
> grant", so users can manage shares from Windows using the add, change
> and delete share commands.
This is an expected behavior.

"net rpc group -S sambafs1 -UXXXXX" returns local groups defined on
sambafs1, not
domain groups.

Recently (3.0.24 and after) no groups are defined by default. so you
should get no
(local) groups.
> I cannot assign privileges using "net rpc rights grant"
Do you use winbind? If not, you should create a local admin user:

  sambafs1# pdbedit -a root

And try like:
 sambafs1# net rpc rights grant  DOMAINNAME\\USERNAME
SeAddUsersPrivilege -U sambafs1\\root

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>