samba - Nov 2012 - Samba PDC group list empty

Dear samba users,

I have very strange problem. I have Samba PDC up and running, but only
thing is missing. I cannot see any Domain Groups at all.
Here is my config:

Debian Squeeze:
ii  samba                               2:3.5.6~dfsg-3squeeze8
SMB/CIFS file, print, and login server for Unix
ii  samba-common                        2:3.5.6~dfsg-3squeeze8       common
files used by both the Samba server and client
ii  samba-common-bin                    2:3.5.6~dfsg-3squeeze8       common
files used by both the Samba server and client
ii  samba-doc                           2:3.5.6~dfsg-3squeeze8       Samba
documentation

/etc/samba/smb.conf
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = EXAMPLE
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
syslog = 0
time server = Yes
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
delete user script = /usr/sbin/smbldap-userdel %u -r %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=sk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=sk
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes

[homes]
    comment = Home Directories
    valid users = %S
    read only = No
    create mask = 0644
    directory mask = 0700
    browseable = No
    path = /data/samba/homes

[netlogon]
    comment = Network Logon Service
    path = /data/samba/netlogon
    read only = No
    guest ok = Yes
    locking = No
    share modes = No

[profiles]
    comment = Users profiles
    path = /data/samba/profiles
    read only = No
    create mask = 0600
    directory mask = 0700
    hide files = /desktop.ini/
    browseable = No

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
host 127.0.0.1
base dc=example,dc=sk
binddn cn=admin,dc=example,dc=sk
bindpw secret
bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd ou=Users,dc=example,dc=sk
nss_base_shadow ou=Users,dc=example,dc=sk
nss_base_group  ou=Groups,dc=example,dc=sk

net getdomainsid
SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

net groupmap list
Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
Admins
Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) -> Domain Users
Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
Guests
Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators


The strange thing is, if I try on Win XP to search groups, i see in logs:
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-32*))],scope
=> [2], pagesize => [1024]

If I try to search in ldap with that filter, I always get zero matches.

I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is
empty. If I try getent passwd and getent group I see all my users and
groups.
Can somebody help me with this?

Thank you!

On 18:32:29 wrote Andrej ?imko:
> Dear samba users,
> 
> I have very strange problem. I have Samba PDC up and running, but
> only thing is missing. I cannot see any Domain Groups at all.
...
> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> net groupmap list
> Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) ->
> Domain Admins
> Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) ->
> Domain Users Domain Guests
> (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain Guests
> Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) ->
> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> 
> 
> The strange thing is, if I try on Win XP to search groups, i see in
> logs: smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3
# net help rpc group 
Usage:
net rpc group
    Alias for net rpc group list global local builtin
net rpc group add
    Create specified group
net rpc group delete
    Delete specified group
net rpc group addmem
    Add member to group
net rpc group delmem
    Remove member from group
net rpc group list
    List groups
net rpc group members
    List group members
net rpc group rename
    Rename group

# net -U root rpc group members Administrators
EUROPA\Domain Admins


view this output:

# ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=S-1-5-32*))'
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
memberUid: Administrator
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators

dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users

dn: cn=guests,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: guests
memberUid: nobody
description: Netbios Domain Guests
sambaSID: S-1-5-32-546
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514
sambaGroupType: 4
displayName: Guests

dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: AccountOperators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: PrintOperators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: BackupOperators
description: Netbios Domain Members can bypass file security to back up 
files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a 
sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators

> If I try to search in ldap with that filter, I always get zero
> matches.
> 
> I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g
> list is empty. If I try getent passwd and getent group I see all my
> users and groups.
> Can somebody help me with this?
> 
> Thank you!

-- 

Gruss
	Harry Jede

Hai, 

The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my
problems also.

Louis


 
>-----Oorspronkelijk bericht-----
>Van: andrej.simko at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Andrej ?imko
>Verzonden: vrijdag 23 november 2012 9:11
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba PDC group list empty
>
>Dear samba users,
>
>I have very strange problem. I have Samba PDC up and running, but only
>thing is missing. I cannot see any Domain Groups at all.
>Here is my config:
>
>Debian Squeeze:
>ii  samba                               2:3.5.6~dfsg-3squeeze8
>SMB/CIFS file, print, and login server for Unix
>ii  samba-common                        2:3.5.6~dfsg-3squeeze8 
>      common
>files used by both the Samba server and client
>ii  samba-common-bin                    2:3.5.6~dfsg-3squeeze8 
>      common
>files used by both the Samba server and client
>ii  samba-doc                           2:3.5.6~dfsg-3squeeze8 
>      Samba
>documentation
>
>/etc/samba/smb.conf
>[global]
>dos charset = CP852
>unix charset = UTF8
>display charset = UTF8
>workgroup = EXAMPLE
>server string = %h server
>map to guest = Bad User
>passdb backend = ldapsam:ldap://127.0.0.1/
>pam password change = Yes
>passwd program = /usr/sbin/smbldap-passwd -u %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>*all*authentication*tokens*updated*
>syslog = 0
>time server = Yes
>log file = /var/log/samba/samba.log
>log level = 3
>max log size = 1000
>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
>delete user script = /usr/sbin/smbldap-userdel %u -r %u
>add group script = /usr/sbin/smbldap-groupadd -p %g
>delete group script = /usr/sbin/smbldap-groupdel %g
>add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>add machine script = /usr/sbin/smbldap-useradd -w %u
>logon script = logon.bat
>domain logons = Yes
>os level = 10
>preferred master = Yes
>domain master = Yes
>dns proxy = No
>wins support = Yes
>ldap admin dn = cn=admin,dc=example,dc=sk
>ldap delete dn = Yes
>ldap group suffix = ou=Groups
>ldap idmap suffix = ou=Idmap
>ldap machine suffix = ou=Computers
>ldap suffix = dc=example,dc=sk
>ldap ssl = no
>ldap user suffix = ou=Users
>panic action = /usr/share/samba/panic-action %d
>map acl inherit = Yes
>case sensitive = No
>hide unreadable = Yes
>map hidden = Yes
>map system = Yes
>
>[homes]
>    comment = Home Directories
>    valid users = %S
>    read only = No
>    create mask = 0644
>    directory mask = 0700
>    browseable = No
>    path = /data/samba/homes
>
>[netlogon]
>    comment = Network Logon Service
>    path = /data/samba/netlogon
>    read only = No
>    guest ok = Yes
>    locking = No
>    share modes = No
>
>[profiles]
>    comment = Users profiles
>    path = /data/samba/profiles
>    read only = No
>    create mask = 0600
>    directory mask = 0700
>    hide files = /desktop.ini/
>    browseable = No
>
>/etc/nsswitch.conf
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages 
>installed, try:
># `info libc "Name Service Switch"' for information about this
file.
>
>passwd:         compat ldap
>group:          compat ldap
>shadow:         compat ldap
>
>hosts:          files dns
>networks:       files
>
>protocols:      db files
>services:       db files
>ethers:         db files
>rpc:            db files
>
>netgroup:       nis
>
>/etc/ldap/ldap.conf
>#
># LDAP Defaults
>#
>
># See ldap.conf(5) for details
># This file should be world readable but not world writable.
>host 127.0.0.1
>base dc=example,dc=sk
>binddn cn=admin,dc=example,dc=sk
>bindpw secret
>bind_policy soft
>pam_password exop
>timelimit 15
>
>nss_base_passwd ou=Users,dc=example,dc=sk
>nss_base_shadow ou=Users,dc=example,dc=sk
>nss_base_group  ou=Groups,dc=example,dc=sk
>
>net getdomainsid
>SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
>SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
>
>net groupmap list
>Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
>Admins
>Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) 
>-> Domain Users
>Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
>Guests
>Domain Computers 
>(S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
>Computers
>Administrators (S-1-5-32-544) -> Administrators
>Account Operators (S-1-5-32-548) -> Account Operators
>Print Operators (S-1-5-32-550) -> Print Operators
>Backup Operators (S-1-5-32-551) -> Backup Operators
>Replicators (S-1-5-32-552) -> Replicators
>
>
>The strange thing is, if I try on Win XP to search groups, i 
>see in logs:
>smbldap_search_paged: base => [dc=example,dc=sk], filter =>
>[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S
>-1-5-21-2390795950-2727105968-4008069955*))],scope
>=> [2], pagesize => [1024]
>  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
>[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S
>-1-5-21-2390795950-2727105968-4008069955*))],scope
>=> [2], pagesize => [1024]
>  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
>[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S
>-1-5-32*))],scope
>=> [2], pagesize => [1024]
>
>If I try to search in ldap with that filter, I always get zero matches.
>
>I also tried to use wbinfo, wbinfo -u list all my users, 
>wbinfo -g list is
>empty. If I try getent passwd and getent group I see all my users and
>groups.
>Can somebody help me with this?
>
>Thank you!
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hi Simo,
> Hi this is my listing:
> 
> net -U administrator rpc group members Administrators
> Enter administrator's password:
> Couldn't list alias members
Your samba server WILL not list the members of this global group, mostly 
a security issue.
> ldapsearch -xLLL
'(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=S-1-5-32*))'
> 
> ldapsearch -xLLL
'(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=*))'
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.
> Do you know what does this mean?
The reason is often "wrong configured" smbldap-tools. Check the 
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> > > net getdomainsid
> > > SID for local machine HOST is:
> > > S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE
> > > is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor 
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955

and restart samba.


> Thanks.
-- 

regards
	Harry Jede

Hi Simo,
please post to the list !!!
> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede <walk2sun at arcor.de>
wrote:
> > Hi Simo,
> > 
> > > Hi this is my listing:
> > > 
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> > 
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
> 
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
> 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > > 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 10000
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> > 
> > Your LDAP client WILL list the group members.
> > 
> > > Do you know what does this mean?
> > 
> > The reason is often "wrong configured" smbldap-tools. Check
the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> 
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
> 
> So that is correct.
> 
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> > 
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> > 
> > and restart samba.
> 
> Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

        ldap suffix          = dc=europa,dc=xx
        ldap admin dn        = cn=admin,dc=europa,dc=xx
        ldap group suffix    = ou=groups
        ldap user suffix     = ou=people,ou=accounts
        ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}



Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword 
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))"  dn



You should get one result.
> 
> > > Thanks.
> > 
> > --
> > 
> > regards
> > 
> >         Harry Jede
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

-- 

Gruss
	Harry Jede

net getdomainsid
SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

I switched that but result still the same.

 ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=example,dc=sk

tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )

ldapsearch -LLLY external -H ldapi:///
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
2>/dev/null
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10000
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

ldapsearch -xLLL
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
dn
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk


I do not see anything bad, I do not have installed windbindd....


On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede <walk2sun at arcor.de> wrote:
> (displayname=users)(uid=users)))"  dn
>

Am Donnerstag, 29. November 2012 schrieben Sie:
> I still dont understand why ldap search filter generated by samba ( i
> have this from samba log ) cannot find anything in database:
> smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
> 21-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024] [2012/11/29 18:15:14.227560,  3]
> lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
> search was successful
> [2012/11/29 18:15:14.227647,  3]
> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
> destroying talloc pool of size 0
> 
> If I remove sambaSID and try to find it in ldap, I will get all my
> groups. Filter >
(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
> 
> Is this normal behavior or my ldap configuration can be incorrect?
That's not normal.

What indexes have you set?
# ldapsearch -LLLY external -H ldapi:///  -b cn=config
"(objectclass=*)"  olcDBIndex

This are my indexes:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: displayName eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq,sub
olcDbIndex: dhcpHWAddress eq
olcDbIndex: dhcpClassData eq
olcDbIndex: cn eq,pres,sub
olcDbIndex: sn eq,pres,sub
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: default sub

And this shows the files:
# cd /var/lib/ldap/
# ls -l *bdb
-rw------- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
-rw------- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
-rw------- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
-rw------- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
-rw------- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
-rw------- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
-rw------- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
-rw------- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
-rw------- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
-rw------- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
-rw------- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
-rw------- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
-rw------- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
-rw------- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
-rw------- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
-rw------- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
-rw------- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
-rw------- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
-rw------- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
-rw------- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
-rw------- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
-rw------- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
root at capella:/var/lib/ldap# 

-- 

Gruss
	Harry Jede