samba-users July 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Samba LDAP ignores group information

Re: [Samba] Samba LDAP ignores group information

From: Ssureshot <ssureshot_at_nospam>
Date: Tue Jul 27 2010 - 18:14:18 GMT
To: alexander@nautae.eti.br

alexander@nautae.eti.br wrote:
> Hi.
>
> Excuse my English.
>
> I've installed Samba+OpenLDAP as a PDC.
>
> Everything works fine but Samba ignores completely group information.
>
> Linux is ok.
>
> Any clue? I'm going crazy here!
>
> Here's the sittuation:
>
> user: fish1
> home dir: /home/reaml/swim/fish1
> primary group: swimmers
> other groups: smokers
>
> Directory of smoker's group: /home/realm/smokers
>
> Here's an 'ls -l' on smoker's parent dir:
>
> drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers
>
>
> Here's the share:
>
> [smokers]
> comment = Smoking
> path = /home/realm/smokers
> valid users = @smokers @swimmers @support
> public = no
> writable = yes
> browseable = yes
> create mask = 0777
> force create mode = 0777
> force directory mode = 0777
> directory mode = 0777
>
> Here's 'id' information:
>
> # id fish1
> uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers)
>
>
> So, when user fish1 try to enter in 'smokers' share: permission denied.
>
> If I give all permissions to 'others', fish1 can user the share normally.
>
> This only happen when I try to access using Windows. Linux is ok.
>
> Any idea?
>
> Seems to be an error between Samba and OpenLDAP...
>
> Here's smbldap-usershow:
>
> #smbldap-usershow fish1
>
> dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com
> objectClass:
> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
> cn: fish1
> sn: fish1
> givenName: fish1
> uid: fish1
> uidNumber: 1193
> gidNumber: 1012
> homeDirectory: /home/realm/swim/fish1
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: angela
> sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001
> sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002
> sambaLogonScript: swimmers.bat
> sambaProfilePath: \\REALMSERV\profiles\fish1
> sambaHomePath: \\REALMSERV\fish1
> sambaHomeDrive: U:
> sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E
> sambaAcctFlags: [U]
> sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF
> sambaPwdLastSet: 1280219188
> sambaPwdMustChange: 2144132788
> userPassword: {CRYPT}c28JIqzpe43e
> shadowLastChange: 14817
> shadowMax: 9999
>
> Here's /etc/ldap.conf
>
> base dc=example,dc=com
> uri ldapi:///127.0.0.1
> uri ldap://127.0.0.1
> ldap_version 3
> binddn cn=admin,dc=example,dc=com
> bindpw mysecret
> rootbinddn cn=admin,dc=example,dc=com
> scope sub
> bind_policy soft
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_check_host_attr yes
> pam_member_attribute memberUid
> pam_password md5
> nss_base_passwd ou=people,dc=example,dc=com?sub
> nss_base_passwd ou=computers,dc=example,dc=com?sub
> nss_base_group ou=groups,dc=example,dc=com?sub
>
> And the smbldap.conf:
>
> SID="S-1-5-21-158730468-2379596502-3695168017"
> sambaDomain="REALM"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> verify="require"
> cafile=""
> clientcert=""
> clientkey=""
> suffix="dc=example,dc=com"
> usersdn="ou=people,${suffix}"
> computersdn="ou=computers,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> scope="sub"
> hash_encrypt="CRYPT"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userGecos="System User"
> defaultUserGid="543"
> defaultComputerGid="543"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="9999"
> userSmbHome="\\REALMSERV\%U"
> userProfile="\\REALMSERV\profiles\%U"
> userHomeDirectoryMode="700"
> userHomeDrive="U:"
> userScript="%g.bat"
> mailDomain="example.com"
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
> And finaly, smb.conf:
>
> workgroup = REALM
> netbios name = REALMSERV
> server string = My Realm %v
> security = user
> encrypt passwords = yes
> load printers = yes
> log file = /var/log/samba/log.%m
> max log size = 50
> os level = 33
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> #admin users = god
> logon script = %g.bat
> logon path = \\%L\profiles\%U
> #logon path = \\%N\profiles\%U
> wins support = no
> dns proxy = no
> ldap passwd sync = yes
> ldap delete dn = yes
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap admin dn = cn=admin,dc=example,dc=com
> ldap suffix = dc=example,dc=com
> ldap group suffix = ou=groups
> ldap user suffix = ou=people
> ldap machine suffix = ou=computers
> create mask = 600
> directory mask = 0700
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> I'm lost...
>
> []s
> Alexander
> Brazil
>
It sounds as though the groups arn't mapped for windows within samba..

try
# net groupmap list

does this give you any groups? are the groups your working with included?

How did you creat the groups ? smbldap-groupadd I hope?
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba