I'm responding to my own message below with more data. oink:/home # net rpc group members engr Password: CORP1\root
smbldap-groupmod -x root engr ... 0000 307: SEQUENCE { 0004 1: INTEGER = 3 0007 300: [APPLICATION 4] { 000B 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com' 0033 256: SEQUENCE { 0037 12: SEQUENCE { 0039 2: STRING = 'cn' 003D 6: SET { 003F 4: STRING = 'engr' 0045 : } 0045 : } 0045 19: SEQUENCE { 0047 9: STRING = 'gidNumber' 0052 6: SET { 0054 4: STRING = '1001' 005A : } 005A : } 005A 21: SEQUENCE { 005C 11: STRING = 'displayName' 0069 6: SET { 006B 4: STRING = 'engr' 0071 : } 0071 : } 0071 21: SEQUENCE { 0073 14: STRING = 'sambaGroupType' 0083 3: SET { 0085 1: STRING = '2' 0088 : } 0088 : } 0088 59: SEQUENCE { 008A 9: STRING = 'memberUid' 0095 46: SET { 0097 3: STRING = 'pat' 009C 5: STRING = 'chuck' 00A3 6: STRING = 'jeremy' 00AB 5: STRING = 'jerry' 00B2 4: STRING = 'paul' 00B8 5: STRING = 'roger' 00BF 4: STRING = 'todd' 00C5 : } 00C5 : } 00C5 51: SEQUENCE { 00C7 11: STRING = 'objectClass' 00D4 36: SET { 00D6 3: STRING = 'top' 00DB 10: STRING = 'posixGroup' 00E7 17: STRING = 'sambaGroupMapping' 00FA : } 00FA : } 00FA 59: SEQUENCE { 00FC 8: STRING = 'sambaSID' 0106 47: SET { 0108 45: STRING = 'S-1-5-21-725326080-1709766072-2910717368-1001' 0137 : } 0137 : } 0137 : } 0137 : } 0137 : } Net::LDAP=HASH(0x84b2b48) received: 30 0C 02 01 03 65 07 0A 01 00 04 00 04 00 __ __ 0....e........ 0000 12: SEQUENCE { 0002 1: INTEGER = 3 0005 7: [APPLICATION 5] { 0007 1: ENUM = 0 000A 0: STRING = '' 000C 0: STRING = '' 000E : } 000E : } Net::LDAP=HASH(0x84b2b48) sending: 30 53 02 01 04 63 4E 04 26 63 6E 3D 65 6E 67 72 0S...cN.&cn=engr 2C 6F 75 3D 67 72 6F 75 70 73 2C 64 63 3D 62 6F ,ou=groups,dc=bo 72 6B 68 6F 6C 64 65 72 2C 64 63 3D 63 6F 6D 0A rkholder,dc=com. 01 00 0A 01 02 02 01 00 02 01 00 01 01 00 A0 13 ................ A3 11 04 09 6D 65 6D 62 65 72 55 69 64 04 04 72 ....memberUid..r 6F 6F 74 30 00 __ __ __ __ __ __ __ __ __ __ __ oot0. 0000 83: SEQUENCE { 0002 1: INTEGER = 4 0005 78: [APPLICATION 3] { 0007 38: STRING = 'cn=engr,ou=groups,dc=borkholder,dc=com' 002F 1: ENUM = 0 0032 1: ENUM = 2 0035 1: INTEGER = 0 0038 1: INTEGER = 0 003B 1: BOOLEAN = FALSE 003E 19: [CONTEXT 0] { 0040 17: [CONTEXT 3] { 0042 9: STRING = 'memberUid' 004D 4: STRING = 'root' 0053 : } 0053 : } 0053 0: SEQUENCE { 0055 : } 0055 : } 0055 : } Net::LDAP=HASH(0x84b2b48) received: 30 0C 02 01 04 65 07 0A 01 00 04 00 04 00 __ __ 0....e........ 0000 12: SEQUENCE { 0002 1: INTEGER = 4 0005 7: [APPLICATION 5] { 0007 1: ENUM = 0 000A 0: STRING = '' 000C 0: STRING = '' 000E : } 000E : } User root is not in the group engr! Net::LDAP=HASH(0x84b2b48) sending: 30 05 02 01 05 42 00 __ __ __ __ __ __ __ __ __ 0....B. 0000 5: SEQUENCE { 0002 1: INTEGER = 5 0005 0: [APPLICATION 2] 0007 : } And the interesting thing is that if I do add root as a member of the group, net rpc group list works correctly: oink:/home # net rpc group members engr Password: CORP1\pat CORP1\chuck CORP1\jeremy CORP1\jerry CORP1\paul CORP1\roger CORP1\todd CORP1\root Take root back out, and I am back to: oink:/home # net rpc group members engr Password: CORP1\root It looks to me like root needs to be a member of every single group for these tools to work correctly. That's really bizarre to me. I await the wisdom of the Samba Gurus. Misty On Tuesday 12 October 2004 17:04, Misty Stanley-Jones wrote: > I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my > logon.bat, I call a script called ifmember.exe. This script can list out > the groups a user is a member of. It is reporting that my root user is a > member of the group 'engr.' I don't know if this is a bug with > ifmember.exe or if it's an issue in Samba or in LDAP. Here is some > relevant data: > > oink:/etc/smbldap-tools # smbldap-groupshow engr > dn: cn=engr,ou=groups,dc=borkholder,dc=com > cn: engr > gidNumber: 1001 > memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb > objectClass: top,posixGroup,sambaGroupMapping > sambaGroupType: 2 > sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001 > > oink:/usr/local/sbin # ./smbldap-usershow root > dn: cn=root,ou=people,dc=borkholder,dc=com > objectClass: account,posixAccount,top,sambaSamAccount > cn: root > uid: root > uidNumber: 0 > gidNumber: 0 > loginShell: /bin/bash > homeDirectory: /root > displayName: root > sambaPwdCanChange: 1095966471 > sambaPwdMustChange: 2147483647 > sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE > sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678 > sambaPasswordHistory: > 0000000000000000000000000000000000000000000000000000000000000000 > sambaPwdLastSet: 1095966471 > sambaAcctFlags: [U ] > userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2 > sambaSID: S-1-5-21-725326080-1709766072-2910717368-500 > sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512 > > oink:/usr/local/sbin # net groupmap list > acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin > truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss > hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr > furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture > dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch > Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain > Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> > Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) > -> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators > Backup Operators (S-1-5-32-551) -> Backup Operators > Replicators (S-1-5-32-552) -> Replicators > Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> > Workgroup Computers > Administrators (S-1-5-32-544) -> Administrators > acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct > receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> > receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr > > Is there anywhere else I can look to see why this command thinks I'm a > member of the engr group? I'm using nss_ldap on the server for > authentication as well. > > Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba