Hi Denis, my smb.conf on PDC (hostname=donald) looks like that: [global] workgroup = MYDOM server string = Fileserver interfaces = 172.16.0.1/16, 127.0.0.1 update encrypted = Yes map to guest = Bad User passdb backend = ldapsam:ldap://172.16.0.1 log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 500 name resolve order = hosts wins lmhosts bcast socket options = IPTOS_LOWDELAY TCP_NODELAY cups server = 127.0.0.1 add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -a '%g' delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u' '%g' set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%u' '%g' add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' logon script = %U.bat logon path = \\donald\profiles\%U logon drive = U: domain logons = Yes os level = 254 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=root,dc=foobar,dc=com ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = yes ldap suffix = dc=foobar,dc=com ldap ssl = no ldap user suffix = ou=users admin users = admin, "@Domain Admins" cups options = raw veto files = /*.eml/*.nws/riched20.dll/*.{*}/
The smb.conf of my member server (=pluto) which is just serving fileservices looks like that: [global] workgroup = MYDOM netbios name = PLUTO security = domain enable privileges = yes server string = Samba Server %v encrypt passwords = true unix password sync = yes ldap passwd sync = yes ldap ssl = off passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" log level = 3 syslog = 2 log file = /var/log/samba/log.%m max log size = 100000 mangling method = hash2 Dos charset = 850 Unix charset = UTF-8 password server = * domain logons = No domain master = No passdb backend = ldapsam:ldap://172.16.0.1/ ldap admin dn = cn=root,dc=foobar,dc=com ldap suffix = dc=foobar,dc=com ldap group suffix = ou=groups ldap user suffix = ou=users ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap admin users = admin add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' load printers = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes preserve case = yes short preserve case = yes case sensitive = no I also realized that pdbedit -L on the PDC outputs everything correct. But when I execute pdbedit -L on the member server "pluto" I get for every account an error like: sid S-1-5-21-1062190697-4189521229-2202214947-1080 does not belong to our domain Here's the output of some other useful commands: root@donald:~ # net getdomainsid SID for local machine DONALD is: S-1-5-21-1062190697-4189521229-2202214947 SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947 root@pluto:~# net getdomainsid SID for local machine PLUTO is: S-1-5-21-1434506976-3680264795-2229774564 SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947 Samba4 really rocks, I already work with that, but on another environment ;) Срд 15 Май 2013 12:46:55 +0400, Denis Cardon написал: Hi Lucas, > on both samba hosts (donald and pluto) these commands work great: > > id johndoe > getent group > getent passwd > > My pluto:/etc/nsswitch.conf looks like that: > [...] > passwd: compat ldap > group: compat ldap > shadow: compat ldap > [...] > > I want to add, that the described problem works fine if I try it on a share > on "donald", my domain controller. The users are displayed fine under the > security tab. So where could be the problem? Users may be displayed because through query to the PDC. If your nsswitch works properly, then I think we ought to look into your smb.conf. Could you please post the global part? Are you using security=user or security=domain? What do you get with pdbedit -L -v ? By the way, samba4 rocks and it is much easier to setup. You should try it. Cheers, Denis > > Lucas > > Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал: > Hi Lucas, > >> I am struggling around with Windows ACLs and cannot find a solution nor how >> to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my >> domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto" >> is my other samba 3.x server which was joined to my domain. I use LDAP for >> my users+groups. I dont have winbind on my machines. On hostname "pluto" I >> have a share in smb.conf which says: >> >> [free4all] >> path = /data/free4all >> read onlyXSSCleaned= No >> create mask = 0777 >> directory mask = 0777 >> vfs object = acl_xattr >> nt acl support = yes >> dos filemode = yes >> >> "testparm -s -a -v |grep acl" shows me: >> >> acl compatibility = auto >> acl check permissions = Yes >> acl group control = No >> acl map full control = Yes >> force unknown acl user = No >> inherit acls = No >> nt acl support = Yes >> profile acls = No >> map acl inherit = No >> vfs objects = acl_xattr >> force unknown acl user = Yes >> >> On a windows client I am right-clicking on \\pluto\free4all\subdir and >> choose the "Security" tab. I see a user called "Everyone" and a user without >> username, but only SID number. The SID is >> S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my >> LDAP database. Funnily I have two users with this same SID, one is called >> "root" and the is called "admin". Weird, but not important imho at this >> point. > > Rid -500 is part of the well known SID, it should be for admin user and > shouldn't be used for root (http://support.microsoft.com/kb/243330) > >> Back on the windows client, inside the "Security" tab, I click on "Add" and >> choose a user of my Domain Users. I see him in the list. But as soon as I >> click "Apply" on this window, the user disappears from the security tab >> list. The logfile at samba-server hostname=pluto outputs: >> >> [2013/05/14 15:48:08.861822, 0] >> smbd/posix_acls.c:1755(create_canon_ace_lists) >> create_canon_ace_lists: unable to map SID >> S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid. >> >> This SID was the user I tried to add. Why does this not work and how should >> I fix or even troubleshoot that? I really need some assistance, I have no >> clue what else to try. Thanks to everyone. > > Are you sure that there is a uid/gid mapping for your samba users on > your server. For instance, if you type "id myusername" or "getent > passwd", do you get a uid? > > If not, you should check if your /etc/nsswitch.conf configuration is ok. > If you don't use winbind, you should have nssldap configured. > > Cheers, > > Denis > >> >> Lucas. >> > -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba