Hi Denis,
my smb.conf on PDC (hostname=donald) looks like that:
[global]
workgroup = MYDOM
server string = Fileserver
interfaces = 172.16.0.1/16, 127.0.0.1
update encrypted = Yes
map to guest = Bad User
passdb backend = ldapsam:ldap://172.16.0.1
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 500
name resolve order = hosts wins lmhosts bcast
socket options = IPTOS_LOWDELAY TCP_NODELAY
cups server = 127.0.0.1
add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
add group script = /opt/IDEALX/sbin/smbldap-groupadd -a '%g'
delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -m
'%u' '%g'
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%u' '%g'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
logon script = %U.bat
logon path = \\donald\profiles\%U
logon drive = U:
domain logons = Yes
os level = 254
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=root,dc=foobar,dc=com
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = yes
ldap suffix = dc=foobar,dc=com
ldap ssl = no
ldap user suffix = ou=users
admin users = admin, "@Domain Admins"
cups options = raw
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
The smb.conf of my member server (=pluto) which is just serving fileservices
looks like that:
[global]
workgroup = MYDOM
netbios name = PLUTO
security = domain
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
unix password sync = yes
ldap passwd sync = yes
ldap ssl = off
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*"
%n\n"
log level = 3
syslog = 2
log file = /var/log/samba/log.%m
max log size = 100000
mangling method = hash2
Dos charset = 850
Unix charset = UTF-8
password server = *
domain logons = No
domain master = No
passdb backend = ldapsam:ldap://172.16.0.1/
ldap admin dn = cn=root,dc=foobar,dc=com
ldap suffix = dc=foobar,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmap
admin users = admin
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
load printers = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
preserve case = yes
short preserve case = yes
case sensitive = no
I also realized that pdbedit -L on the PDC outputs everything correct. But when
I execute pdbedit -L on the member server "pluto" I get for every account an
error like:
sid S-1-5-21-1062190697-4189521229-2202214947-1080 does not belong to our domain
Here's the output of some other useful commands:
root@donald:~ # net getdomainsid
SID for local machine DONALD is: S-1-5-21-1062190697-4189521229-2202214947
SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947
root@pluto:~# net getdomainsid
SID for local machine PLUTO is: S-1-5-21-1434506976-3680264795-2229774564
SID for domain MYDOM is: S-1-5-21-1062190697-4189521229-2202214947
Samba4 really rocks, I already work with that, but on another environment ;)
Срд 15 Май 2013 12:46:55 +0400, Denis Cardon написал:
Hi Lucas,
> on both samba hosts (donald and pluto) these commands work great:
>
> id johndoe
> getent group
> getent passwd
>
> My pluto:/etc/nsswitch.conf looks like that:
> [...]
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
> [...]
>
> I want to add, that the described problem works fine if I try it on a share
> on "donald", my domain controller. The users are displayed fine under the
> security tab. So where could be the problem?
Users may be displayed because through query to the PDC.
If your nsswitch works properly, then I think we ought to look into your
smb.conf. Could you please post the global part? Are you using
security=user or security=domain?
What do you get with pdbedit -L -v ?
By the way, samba4 rocks and it is much easier to setup. You should try it.
Cheers,
Denis
>
> Lucas
>
> Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал:
> Hi Lucas,
>
>> I am struggling around with Windows ACLs and cannot find a solution nor how
>> to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my
>> domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto"
>> is my other samba 3.x server which was joined to my domain. I use LDAP for
>> my users+groups. I dont have winbind on my machines. On hostname "pluto" I
>> have a share in smb.conf which says:
>>
>> [free4all]
>> path = /data/free4all
>> read onlyXSSCleaned= No
>> create mask = 0777
>> directory mask = 0777
>> vfs object = acl_xattr
>> nt acl support = yes
>> dos filemode = yes
>>
>> "testparm -s -a -v |grep acl" shows me:
>>
>> acl compatibility = auto
>> acl check permissions = Yes
>> acl group control = No
>> acl map full control = Yes
>> force unknown acl user = No
>> inherit acls = No
>> nt acl support = Yes
>> profile acls = No
>> map acl inherit = No
>> vfs objects = acl_xattr
>> force unknown acl user = Yes
>>
>> On a windows client I am right-clicking on \\pluto\free4all\subdir and
>> choose the "Security" tab. I see a user called "Everyone" and a user without
>> username, but only SID number. The SID is
>> S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my
>> LDAP database. Funnily I have two users with this same SID, one is called
>> "root" and the is called "admin". Weird, but not important imho at this
>> point.
>
> Rid -500 is part of the well known SID, it should be for admin user and
> shouldn't be used for root (http://support.microsoft.com/kb/243330)
>
>> Back on the windows client, inside the "Security" tab, I click on "Add" and
>> choose a user of my Domain Users. I see him in the list. But as soon as I
>> click "Apply" on this window, the user disappears from the security tab
>> list. The logfile at samba-server hostname=pluto outputs:
>>
>> [2013/05/14 15:48:08.861822, 0]
>> smbd/posix_acls.c:1755(create_canon_ace_lists)
>> create_canon_ace_lists: unable to map SID
>> S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
>>
>> This SID was the user I tried to add. Why does this not work and how should
>> I fix or even troubleshoot that? I really need some assistance, I have no
>> clue what else to try. Thanks to everyone.
>
> Are you sure that there is a uid/gid mapping for your samba users on
> your server. For instance, if you type "id myusername" or "getent
> passwd", do you get a uid?
>
> If not, you should check if your /etc/nsswitch.conf configuration is ok.
> If you don't use winbind, you should have nssldap configured.
>
> Cheers,
>
> Denis
>
>>
>> Lucas.
>>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
