Re: [Samba] Re: Supplementary Group Issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Monakhov wrote: I have the same problem using samba 3.0.2a SUN Solaris-9 SUN One Directory Server 5.2 Supplementary groups are recognized quite correct under unix shell environment, but samba can recognize them only from /etc/group file ignoring content of /etc/nsswithch.conf Is it bug or samba-3.* feature? What are the clients you use ? If Win9X, there was a bug in Samba3 before 3.0.1rc? where groups where compared in uppercase to the posix ones (mostly lowercase). It has been corrected in latests Samba 3.0.2 and 3.0.2a. I'm using Samba 3.0.2a win2K clients. All secondary groups are in LDAP and groupmapped i.e. Each secondary group has ... objectClass: sambaGroupMapping sambaSID: S-1-5-21-... ... The point is the secondary groups are not even requested during login process according to the LDAP server log-file. See bug 395 in bugzilla.samba.org and see if that applies to you. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFARjCnIR7qMdg1EfYRAs+RAKChZ3L6kfMDSwFATol0bW440JmgQwCgwp+9 WgU59T0Sb949bcltnvVfNLI= =0z9u -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Supplementary Group Issues
Hi Dmitry, hi Jerome, as I am having the same problem with native Sun nss_client, I'd like to jump here in the thread. Last thing, I remember having seen some problems with Solaris 9 nss_ldap client due to Sun patches on the list this or last month. The bug seems to be from Sun's fault. it was me Ok. I knew it. So, I'm using nss_ldap-211 from padl.com and it is definitely working good within Unix framework (id -a, ls -l... show right information). However according to the LDAP SERVER log file samba even do not request for supplementary groups. By the way samba log file level 10 I sent you also do not show any requests to LDAP for supplementary groups. This behaviour is identical to my experiences with native Solaris 9 nss_ldap. In my understanding, Samba requests supplementary group information from Solaris, and Solaris has to request this information from the LDAP server (after checking nsswitch.conf). If you have a working und a non-working system, the difference can be seen easily in the LDAP server logs. Note that /etc/group works. We bypass this problem for the first time by using Patch-ID 112960-03. BTW, Patch-ID 112960-11 (Feb/23/2004) doesn't help either. http://marc.theaimsgroup.com/?l=sambam=107636136823095w=2 and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). Please test the program in comment #19 and report. I would also be willing to test and report, but the program doesn't compile in Solaris. AFAIR the program was written for Linux. Anyway, Solaris doesn't provide getgrouplist(). Can anybody provide me with workarounds or hints? Cheers, Reinhard -- Reinhard Sojka [EMAIL PROTECTED] System- Networkadmin Parlamentsdirektion +43 1 40110 2824 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Supplementary Group Issues
Hi, All! I was using nss_ldap from PADL Software compiled with ldap_sdk 5.08. So, as a result samba did not recognize supplementary group. However when I put down nscd server samba become unable to recognize both groups and users from LDAP. That means nss_ldap did not work from samba completely. The same nss_ldap compiled with openldap library work perfectly correct, and samba can recognize both users, group and supplementary group as well. So, the problem was nss_ldap(ldap_sdk 5.08) which worked in unix shell but not within samba. Sojka Reinhard wrote: Hi Dmitry, hi Jerome, as I am having the same problem with native Sun nss_client, I'd like to jump here in the thread. Last thing, I remember having seen some problems with Solaris 9 nss_ldap client due to Sun patches on the list this or last month. The bug seems to be from Sun's fault. it was me Ok. I knew it. So, I'm using nss_ldap-211 from padl.com and it is definitely working good within Unix framework (id -a, ls -l... show right information). However according to the LDAP SERVER log file samba even do not request for supplementary groups. By the way samba log file level 10 I sent you also do not show any requests to LDAP for supplementary groups. This behaviour is identical to my experiences with native Solaris 9 nss_ldap. In my understanding, Samba requests supplementary group information from Solaris, and Solaris has to request this information from the LDAP server (after checking nsswitch.conf). If you have a working und a non-working system, the difference can be seen easily in the LDAP server logs. Note that /etc/group works. We bypass this problem for the first time by using Patch-ID 112960-03. BTW, Patch-ID 112960-11 (Feb/23/2004) doesn't help either. http://marc.theaimsgroup.com/?l=sambam=107636136823095w=2 and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). Please test the program in comment #19 and report. I would also be willing to test and report, but the program doesn't compile in Solaris. AFAIR the program was written for Linux. Anyway, Solaris doesn't provide getgrouplist(). Can anybody provide me with workarounds or hints? Cheers, Reinhard -- Dmitry Monakhov System Administrator Open Technologies, tel: +7(095)787-7027 e-mail: [EMAIL PROTECTED], http://www.ot.ru/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Supplementary Group Issues
Dmitry Monakhov wrote: Hi, All I was wondering if any one else is having issues with supplementary groups not being recognized. It seems as if Samba is ignoring the sup.groups. I'm using RH9.0 on Intel with samba-3.0.0-2_rh9 and OpenLDAP 2.0.27. When I do a id -a username the user is in all the necessary groups but when accessing shares the users' primary GID is used only. I have the same problem using samba 3.0.2a SUN Solaris-9 SUN One Directory Server 5.2 Supplementary groups are recognized quite correct under unix shell environment, but samba can recognize them only from /etc/group file ignoring content of /etc/nsswithch.conf Is it bug or samba-3.* feature? What are the clients you use ? If Win9X, there was a bug in Samba3 before 3.0.1rc? where groups where compared in uppercase to the posix ones (mostly lowercase). It has been corrected in latests Samba 3.0.2 and 3.0.2a. Also, remember that all the secondary groups you need to see in Samba have to be defined in LDAP, and groupmapped. Regards, Jérôme -- Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - mailto:jerome.fenal AT logicacmg.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Supplementary Group Issues
I have the same problem using samba 3.0.2a SUN Solaris-9 SUN One Directory Server 5.2 Supplementary groups are recognized quite correct under unix shell environment, but samba can recognize them only from /etc/group file ignoring content of /etc/nsswithch.conf Is it bug or samba-3.* feature? What are the clients you use ? If Win9X, there was a bug in Samba3 before 3.0.1rc? where groups where compared in uppercase to the posix ones (mostly lowercase). It has been corrected in latests Samba 3.0.2 and 3.0.2a. I'm using Samba 3.0.2a win2K clients. All secondary groups are in LDAP and groupmapped i.e. Each secondary group has ... objectClass: sambaGroupMapping sambaSID: S-1-5-21-... ... The point is the secondary groups are not even requested during login process according to the LDAP server log-file. Also, remember that all the secondary groups you need to see in Samba have to be defined in LDAP, and groupmapped. Regards, Jérôme -- Dmitry Monakhov System Administrator Open Technologies, tel: +7(095)787-7027 e-mail: [EMAIL PROTECTED], http://www.ot.ru/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Supplementary Group Issues
Dmitry Monakhov wrote: I have the same problem using samba 3.0.2a SUN Solaris-9 SUN One Directory Server 5.2 Supplementary groups are recognized quite correct under unix shell environment, but samba can recognize them only from /etc/group file ignoring content of /etc/nsswithch.conf Is it bug or samba-3.* feature? What are the clients you use ? If Win9X, there was a bug in Samba3 before 3.0.1rc? where groups where compared in uppercase to the posix ones (mostly lowercase). It has been corrected in latests Samba 3.0.2 and 3.0.2a. I'm using Samba 3.0.2a win2K clients. All secondary groups are in LDAP and groupmapped i.e. Each secondary group has ... objectClass: sambaGroupMapping sambaSID: S-1-5-21-... ... Do you have a level 10 log at hand with the login sequence ? You should also send yous smb.conf, it would help. Regards, J. -- Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - mailto:jerome.fenal AT logicacmg.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Supplementary Group Issues
-Original Message- From: Dmitry Monakhov To: Jérôme Fenal Cc: [EMAIL PROTECTED] Sent: 2/24/2004 3:43 PM Subject: Re: [Samba] Re: Supplementary Group Issues Test user login name is ssi The output of id -a ssi command is uid=225(ssi) gid=1(other) groups=112(support),1000(users) Nevertheless samba has found only 1 group (gid=1) Ok, I don't see anything beside the following : Define the right suffixes and ous (should be PeopleGroup in Solaris 9) : ldap suffix = o=ot.ru,o=ot ldap user suffix = ou=People ldap group suffix = ou=Group Try to remove : ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) to get the default : (uid=%u) Also double check that the SID for your groups are derived from the domain's one Last thing, I remember having seen some problems with Solaris 9 nss_ldap client due to Sun patches on the list this or last month. The bug seems to be from Sun's fault. See : http://marc.theaimsgroup.com/?l=sambam=107636136823095w=2 and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). Please test the program in comment #19 and report. Regards, J. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Supplementary Group Issues
Fenal, Jérôme wrote: Test user login name is ssi The output of id -a ssi command is uid=225(ssi) gid=1(other) groups=112(support),1000(users) Nevertheless samba has found only 1 group (gid=1) Ok, I don't see anything beside the following : Define the right suffixes and ous (should be PeopleGroup in Solaris 9) : ldap suffix = o=ot.ru,o=ot ldap user suffix = ou=People ldap group suffix = ou=Group Try to remove : ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) to get the default : (uid=%u) I've tested the settings above without any success. Also double check that the SID for your groups are derived from the domain's one I'm not sure I understand you right. I'm using the simplest configuration without domain but workgroup only with the only server - master browser. Just for the case I've mapped all group with type 2 (domane group) Last thing, I remember having seen some problems with Solaris 9 nss_ldap client due to Sun patches on the list this or last month. The bug seems to be from Sun's fault. See : Ok. I knew it. So, I'm using nss_ldap-211 from padl.com and it is definitely working good within Unix framework (id -a, ls -l... show right information). However according to the LDAP SERVER log file samba even do not request for supplementary groups. By the way samba log file level 10 I sent you also do not show any requests to LDAP for supplementary groups. http://marc.theaimsgroup.com/?l=sambam=107636136823095w=2 and bug 395 (https://bugzilla.samba.org/show_bug.cgi?id=395). Please test the program in comment #19 and report. Regards, J. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Dmitry Monakhov System Administrator Open Technologies, tel: +7(095)787-7027 e-mail: [EMAIL PROTECTED], http://www.ot.ru/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba