Re: [Samba] Samba+LDAP + Primary GIDs
ldap.conf/nsswitch.conf/ldap.secrets all exist. Something might be wrong with the set up on the PDC side - when I run "net groupmap list" , all of my mappings correctly show up. But when I run a "net rpc group list" on the PDC, only 2 groups (most recently created) are displayed. Kris Lou k...@themusiclink.net On Fri, Jan 29, 2010 at 2:20 PM, Rob Shinn wrote: > Kris Lou wrote: > >> PDC Results: >> SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094 >> SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 >> >> Openfiler Results: >> SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478 >> SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 >> >> As you can see, the domain SIDs match. >> >> Also, here's the global portion of the Openfiler smb.conf and an example >> share (portions edited). About this - I can obviously edit the smb.conf, but >> it gets overwritten by the Openfiler gui whenever changes are made. Looking >> at the file, I'm not understanding where the group security settings are >> being placed. It looks like Openfiler runs with Samba 3.2.13 >> > > Is nss-ldap installed on the Openfiler? If so, is it pointing to the LDAP > server on the Samba+LDAP machine? > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP + Primary GIDs
PDC Results: SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 Openfiler Results: SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 As you can see, the domain SIDs match. Also, here's the global portion of the Openfiler smb.conf and an example share (portions edited). About this - I can obviously edit the smb.conf, but it gets overwritten by the Openfiler gui whenever changes are made. Looking at the file, I'm not understanding where the group security settings are being placed. It looks like Openfiler runs with Samba 3.2.13 # Global settings [global] workgroup = MLC server string = Openfiler NAS netbios name = VADER wins server = pdc.ip.add.ress //edited password server = pdc.ip.add.ress //edited realm = ; interfaces = 192.168.12.2/24 192.168.13.2/24 ; remote announce = 92.168.1.255 192.168.2.44 ; domain logons = yes log file = /var/log/samba/%m.log max log size = 0 ; hosts deny = all map to guest = Bad User guest account = ofguest display charset = LOCALE unix charset = UTF-8 dos charset = CP850 ldap ssl = no ldap admin dn = //edited ldap suffix = //edited encrypt passwords = yes security = user passdb backend = ldapsam:ldap://pdc.ip.add.ress //edited ldap user suffix = ou=People ldap group suffix = ou=Group smb passwd file = /etc/samba/smbpasswd unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes ; username map = /etc/samba/smbusers obey pam restrictions = yes load printers = no domain master = no local master = no preferred master = no os level = 0 [Purchasing] comment = Purchasing Share path = /mnt/fileshare/Purchasing/Purchasing read only = no writeable = yes oplocks = yes level2 oplocks = yes force security mode = 0 dos filemode = yes dos filetime resolution = yes dos filetimes = yes fake directory create times = yes browseable = yes csc policy = manual share modes = yes veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ veto files = /*:Zone.Identifier:*/ create mode = 0770 directory mode = 2770 printable = no guest ok = no hosts allow = 23.23.23.0/24 hosts readonly allow = store dos attributes = yes map acl inherit = yes vfs objects = shadow_copy Kris Lou k...@themusiclink.net On Sat, Jan 23, 2010 at 3:34 PM, Rob Shinn wrote: > What does your 'net getdomainsid' or 'net getlocalsid' output look like? > > > Kris Lou wrote: > > Hi Rob, > > Thanks for the quick reply - Here it is (mostly with some cut and paste). > > CentOS 5.4 > Samba 3.2.15 > > dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net > description: Netbios Domain Administrators > sambaSID: S-1-5-21-957249707-1866601452-441284377-512 > sambaGroupType: 2 > displayName: Domain Admins > structuralObjectClass: posixGroup > entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718 > creatorsName: cn=Manager,dc=themusiclink,dc=net > createTimestamp: 20090507234700Z > gidNumber: 512 > cn: Domain Admins > userPassword:: e2NyeXB0fXg= > objectClass: posixGroup > objectClass: top > objectClass: sambaGroupMapping > memberUid: > memberUid: > memberUid: > entryCSN: 20091028001757Z#01#00#00 > modifiersName: cn=Manager,dc=themusiclink,dc=net > modifyTimestamp: 20091028001757Z > > dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net > description: Netbios Domain Users > sambaSID: S-1-5-21-957249707-1866601452-441284377-513 > sambaGroupType: 2 > displayName: Domain Users > structuralObjectClass: posixGroup > entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718 > creatorsName: cn=Manager,dc=themusiclink,dc=net > createTimestamp: 20090507234700Z > gidNumber: 513 > cn: Domain Users > userPassword:: e2NyeXB0fXg= > objectClass: posixGroup > objectClass: top > objectClass: sambaGroupMapping > memberUid: > memberUid: > entryCSN: 20091215225639Z#01#00#00 > modifiersName: cn=Manager,dc=themusiclink,dc=net > modifyTimestamp: 20091215225639Z > > dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net > description: Netbios Domain Guests Users > sambaSID: S-1-5-21-957249707-1866601452-441284377-514 > sambaGroupType: 2 > displayName: Domain Guests > structuralObjectClass: posixGroup > entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718 > creatorsName: cn=Manager,dc=themusiclink,dc=net > createTimestamp: 20090507234700Z > objectClass: posixGroup > objectClass: to
Re: [Samba] Samba+LDAP + Primary GIDs
: EB97ADC8AE0B0D345521BA0B4ED10410 sambaPwdLastSet: 1262646184 entryCSN: 20100104230304Z#00#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20100104230304Z dn: uid=mguiffre$,ou=People,dc=themusiclink,dc=net uid: mguiffre$ sambaSID: S-1-5-21-957249707-1866601452-441284377-2358 displayName: MGUIFFRE$ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1203349442 sambaPwdMustChange: 2147483647 sambaNTPassword: B4477BB59E8B04EE0635CEE872F9E3E1 sambaPasswordHistory: sambaPwdLastSet: 1203349442 sambaLogonHours: FF sambaAcctFlags: [W ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a4420226-cfad-102d-97d0-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235051Z entryCSN: 20090507235051Z#13#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090507235051Z dn: uid=MICHAEL$,ou=People,dc=themusiclink,dc=net uid: MICHAEL$ sambaSID: S-1-5-21-957249707-1866601452-441284377-2244 displayName: MICHAEL$ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1235874383 sambaPwdMustChange: 2147483647 sambaPasswordHistory: sambaLogonHours: FF sambaAcctFlags: [W ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a4749e8e-cfad-102d-97d1-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235052Z sambaNTPassword: C4FCBF20D7CF3EC3595535D90CCCA660 sambaPwdLastSet: 1262238476 entryCSN: 20091231054756Z#00#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091231054756Z dn: uid=lrrr$,ou=People,dc=themusiclink,dc=net uid: lrrr$ sambaSID: S-1-5-21-957249707-1866601452-441284377-1014 displayName: Computer Acct sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 0 sambaNTPassword: 01F5F78FF4DC2A00D532520533E2108D sambaPasswordHistory: sambaPwdLastSet: 0 sambaLogonHours: FF sambaAcctFlags: [W ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a47af162-cfad-102d-97d2-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235052Z entryCSN: 20090507235052Z#05#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090507235052Z dn: uid=RYAN$,ou=People,dc=themusiclink,dc=net uid: RYAN$ sambaSID: S-1-5-21-957249707-1866601452-441284377-2260 displayName: THE-M47RJJ9T53W$ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1234524689 sambaPwdMustChange: 2147483647 sambaPasswordHistory: sambaLogonHours: FF sambaAcctFlags: [W ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a480f800-cfad-102d-97d3-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235052Z sambaNTPassword: 9656CE740570EBB847AD131D65E3BBEB sambaPwdLastSet: 1246490780 entryCSN: 20090701232620Z#00#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090701232620Z dn: uid=salesspare$,ou=People,dc=themusiclink,dc=net uid: salesspare$ sambaSID: S-1-5-21-957249707-1866601452-441284377-2410 displayName: SALESSPARE$ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1233972359 sambaPwdMustChange: 2147483647 sambaNTPassword: 75B1501C5F90B5D23F824AB99CA47E14 sambaPasswordHistory: sambaPwdLastSet: 1233972359 sambaLogonHours: FF sambaAcctFlags: [W ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a503c17c-cfad-102d-97d4-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235053Z entryCSN: 20090507235053Z#04#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090507235053Z Kris Lou k...@themusiclink.net On Mon, Jan 18, 2010 at 2:06 PM, Rob Shinn wrote: > Kris Lou wrote: >> >> I've checked my ldif's - the groups exist, the users exists as >> memberids, but it looks like
[Samba] Samba+LDAP + Primary GIDs
Hi List, This may be more of an LDAP question than a Samba question - if so, let me know! I have an implementation of samba + openldap, and using that server as an external ldap server for an Openfiler install. I've run into problems with user authentication (WinXP) where either samba or ldap is only recognizing the user's gid - which as I understand it is the Primary Group. However, authentication against any secondary group is denied. I've checked the samba logs, and as far as I can tell, uid's and gid's (primary) are getting passed and authenticated - but no mention of checking the 2ndary groups. I've checked my ldif's - the groups exist, the users exists as memberids, but it looks like samba is only checking the gid? Is this something that anybody else has seen? Thanks, Kris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] MS SQL Server 2005 with Windows Authentication via Samba+LDAP PDC
Hi I'm relatively new to Samba, and now I'm trying to migrate our PDC from tdbsam to ldap. On my test systems, users can authenticate and log in to their XP machines, but logging into our ERP system (MS SQL 2005 backend) fails with "not associated with a trusted sql server connection" Has anybody else seen this? Here's my smb.conf - its pretty textbooks. [global] unix charset = LOCALE workgroup = mydomain netbios name = server server string = PDC passdb backend = ldapsam:ldap://mydomain enable privileges = yes username map = /etc/samba/smbusers security = user # Password options (testing) passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n/n *retype*new*password* %n/n *all*authentication*tokens*updated* obey pam restrictions = no log level = 1 syslog = 0 log file = /var/log/samba/%m smb ports = 139 445 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = no add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = logon path = domain logons = yes preferred master = yes wins support = yes domain master = yes local master = yes os level = 99 ldap suffix = dc=mydomain,dc=net ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mydomain,dc=net idmap backend = ldap:ldap://server.mydomain.net idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes printing = cups CentOS 5.3 Samba 3.2.8 Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
