[Samba] Samba groups membership
Hi all: I was running Samba 3.0.x (from CentOS 5 repository) integrated with OpenLDAP as a complete PDC solution that worked fine for several moths. As we needed to join Win7 computers to the domain I upgraded to Samba 3.5.3 keeping my Samba configuration the same. We find that after this upgrade the root account of the domain wasn't able to access to C$, D$ or other administrative resources of Windows Machines. After looking for a solution I found some issues that I'm not really sure if they appeared as a consequence of the upgrade. I found this: # net groupmap list returns this: users (S-1-5-21-895592719-3520082440-1574223224-2001) -> jpp Account Operators (S-1-5-32-548) -> Account Operators Administrators (S-1-5-32-544) -> Administrators Backup Operators (S-1-5-32-551) -> Backup Operators Domain Admins (S-1-5-21-895592719-3520082440-1574223224-512) -> Domain Admins ... among other groups # smbldap-groupshow "Domain Admins" ... returns this: dn: cn=Domain Admins,ou=groups,dc=mintra,dc=gob,dc=pe cn: Domain Admins gidNumber: 512 description: Netbios Domain Administrators displayName: Domain Admins objectClass: posixGroup,sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-895592719-3520082440-1574223224-512 memberUid: mescalante,jhuarancca,kaguilar,olmontero,ycabezas,arojas,secretaria_tecnica,graymundo,dpenadillo,jbarreda,lquevedo,hurquizo,mnicho,root ... so I can see that root is member of this "Domain Admins" group, but... # net rpc group members "Domain Admins" ... returns nothing! The same happens when querying other Samba groups. I don't know why this command doesn't return the list of members of this group. Well, I just tried to add a user manually: # net rpc group addmem "Domain Admins" someuser -U root and return this: Could not add someuser to Domain Admins: NT_STATUS_ACCESS_DENIED Does anybody know why can't add a user to the group? Why Samba net utility isn't showing the list of members of my groups? I know that the "Domain Admins" group determines who can take control of machines joined to the Domain, but after the upgrade to Samba 3.5.x the list of members isn't working correctly. I would appreciate some help regarding this. I don't know if I need to add some extra configuration to smb.conf. I hope someone can help me. Thanks P.D.: Sorry, my english isn't too good -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Groups questions
Short answer, yes. You should/do get all the groups listed with ifmember /list but get different results with the Solaris nsswitch.conf than padl's nsswitch.conf. I have it working, through changing only this one library. There may of course have been problems with my ldap_client_file that didn't show up at the OS level but scuppered what samba was asking for. Didn't see any error messages though. Cheers. Duncan Brannen wrote: Hi, When Samba is running as a PDC and a workstation is joined to the Domain, should the user logged into the workstation be able to see all the groups they are a member of using `ifmember /list`? Is the below output as expected? I'm I correct thinking that as all my groups originate in the Unix world, I don't need winbind to allow the Workstations to see them? For what it's worth, Solaris 10 (Sparc) Samba 3.2.1 and OpenLDAP, everything bar the Samba version should be irrelevant as it's hidden behind nsswitch and passdb backend? It's a clean OS / Ldap install with the smbldap tools used to populate the directory and create the user, then 'net rpc' used to create groups and add members. Thanks, Duncan - On the PDC /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk /usr/local/samba/bin/net groupmap list Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> Domain Admins Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators room11 (S-1-5-21-440367617-1876916578-3462541782-3003) -> room11 room9 (S-1-5-21-440367617-1876916578-3462541782-3005) -> room9 getent group ... room11::1001:dunk getent passwd ... dunk:x:1000:512:System User:/home/dunk:/bin/bash - On the workstation net group /domain room11 returns dunk as a member net group /domain returns a list of all the groups mapped on the pdc that start S-1-5-21- ifmember /list returns the primary group CROOMTEST\Domain Admins \Everyone BUILTIN\Administrators BUILTIN\Users \Local NT Authority\INTERACTIVE NT Authority\Authneticated Users -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Groups questions
Hi, When Samba is running as a PDC and a workstation is joined to the Domain, should the user logged into the workstation be able to see all the groups they are a member of using `ifmember /list`? Is the below output as expected? I'm I correct thinking that as all my groups originate in the Unix world, I don't need winbind to allow the Workstations to see them? For what it's worth, Solaris 10 (Sparc) Samba 3.2.1 and OpenLDAP, everything bar the Samba version should be irrelevant as it's hidden behind nsswitch and passdb backend? It's a clean OS / Ldap install with the smbldap tools used to populate the directory and create the user, then 'net rpc' used to create groups and add members. Thanks, Duncan - On the PDC /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk /usr/local/samba/bin/net groupmap list Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> Domain Admins Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators room11 (S-1-5-21-440367617-1876916578-3462541782-3003) -> room11 room9 (S-1-5-21-440367617-1876916578-3462541782-3005) -> room9 getent group ... room11::1001:dunk getent passwd ... dunk:x:1000:512:System User:/home/dunk:/bin/bash - On the workstation net group /domain room11 returns dunk as a member net group /domain returns a list of all the groups mapped on the pdc that start S-1-5-21- ifmember /list returns the primary group CROOMTEST\Domain Admins \Everyone BUILTIN\Administrators BUILTIN\Users \Local NT Authority\INTERACTIVE NT Authority\Authneticated Users -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Diarmuid Bourke wrote: > Please find the attachment log from when we did a > group list with debug mode. Note "(sambaSID=S-1-5-32*)" > is of interest. If we remove that and do You read the changes in the 3.0.23 release notes right? LDAP Changes There has also been a minor update the Samba LDAP schema file. A substring matching rule has been added to the sambaSID attribute definition. For OpenLDAP servers, this will require the addition of 'index sambaSID sub' to the slapd.conf configuration file. It will be necessary to run slapindex after making this change. There has been no change to actual data storage schema. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFAA9KIR7qMdg1EfYRAvOIAKDFFTzQnqg2qsz4lgDxsPXwsdHDaQCfd8Cg wvIT9FIcLRLI/8bKuQbiNU4= =4nqV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Felipe Augusto van de Wiel wrote: > On 08/31/2006 07:05 AM, Diarmuid Bourke escreveu: > On 08/28/2006 09:49 AM, Diarmuid Bourke escreveu: > [...] >> Our Samba Groups appear to have vanished. >> >> I've verified this by trying, "net group /domain" in windows and it >> returns no results. Trying "net rpc group -S nuada" on our master server >> returns nothing either. >> "net rpc info" on both our master and backup return >> >> Domain Name: DIAS >> Domain SID: S-1-5-21-463069746-3761697030-3888642000 >> Sequence number: 1156762378 >> Num users: 63 >> Num domain groups: 0 >> Num local groups: 0 > Try improve the debuglevel (-d) when using net, it could > reveal some nice information to help you out (and also help the > rest of us to help you). :-) >>> Heres the output of "net rpc group list -d3 -S nuada" >>> using debug >>> -- >>> [2006/08/31 10:26:57, 3] param/loadparm.c:lp_load(4207) >>> lp_load: refreshing parameters >>> [2006/08/31 10:26:57, 3] param/loadparm.c:init_globals(1393) >>> Initialising global parameters >>> [2006/08/31 10:26:57, 3] param/params.c:pm_process(574) >>> params.c:pm_process() - Processing configuration file >>> "/etc/samba/smb.conf" >>> [2006/08/31 10:26:57, 3] param/loadparm.c:do_section(3662) >>> Processing section "[global]" >>> [2006/08/31 10:26:57, 2] lib/interface.c:add_interface(81) >>> added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 >>> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_lmhosts(855) >>> resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> >>> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(752) >>> resolve_wins: Attempting wins lookup for name nuada<0x20> >>> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(755) >>> resolve_wins: WINS server resolution selected and no WINS servers listed. >>> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_hosts(917) >>> resolve_hosts: Attempting host lookup for name nuada<0x20> >>> Password: >>> [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_start_connection(1389) >>> Connecting to host=nuada >>> [2006/08/31 10:27:02, 3] lib/util_sock.c:open_socket_out(870) >>> Connecting to 160.6.1.102 at port 445 >>> [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) >>> Doing spnego session setup (blob length=58) >>> [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735) >>> got OID=1 3 6 1 4 1 311 2 2 10 >>> [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(744) >>> got principal=NONE >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(929) >>> Got challenge flags: >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) >>> Got NTLMSSP neg_flags=0x60890215 >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(951) >>> NTLMSSP: Set final flags: >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) >>> Got NTLMSSP neg_flags=0x60080215 >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) >>> NTLMSSP Sign/Seal - Initialising with flags: >>> [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) >>> Got NTLMSSP neg_flags=0x60080215 >>> [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) >>> rpc_pipe_bind: Remote machine nuada pipe \lsarpc fnum 0x7624 bind >>> request returned ok. >>> [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) >>> rpc_pipe_bind: Remote machine nuada pipe \samr fnum 0x7625 bind >>> request returned ok. >>> [2006/08/31 10:27:03, 2] utils/net.c:main(878) >>> return code = 0 >>> --- >>> >>> and for "net rpc info -d3 -S nuada" >>> - >>> [2006/08/31 10:28:27, 3] param/loadparm.c:lp_load(4207) >>> lp_load: refreshing parameters >>> [2006/08/31 10:28:27, 3] param/loadparm.c:init_globals(1393) >>> Initialising global parameters >>> [2006/08/31 10:28:27, 3] param/params.c:pm_process(574) >>> params.c:pm_process() - Processing configuration file >>> "/etc/samba/smb.conf" >>> [2006/08/31 10:28:27, 3] param/loadparm.c:do_section(3662) >>> Processing section "[global]" >>> [2006/08/31 10:28:27, 2] lib/interface.c:add_interface(81) >>> added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 >>> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_lmhosts(855) >>> resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> >>> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(752) >>> resolve_wins: Attempting wins lookup for name nuada<0x20> >>> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(755) >>> resolve_wins: WINS server resolution selected and no WINS servers listed. >>> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_hosts(917) >>> resolve_hosts: Attempting host lookup for name nuada<0x20> >>> [2
Re: [Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/31/2006 07:05 AM, Diarmuid Bourke escreveu: >>>On 08/28/2006 09:49 AM, Diarmuid Bourke escreveu: [...] Our Samba Groups appear to have vanished. I've verified this by trying, "net group /domain" in windows and it returns no results. Trying "net rpc group -S nuada" on our master server returns nothing either. "net rpc info" on both our master and backup return Domain Name: DIAS Domain SID: S-1-5-21-463069746-3761697030-3888642000 Sequence number: 1156762378 Num users: 63 Num domain groups: 0 Num local groups: 0 >>> >>> Try improve the debuglevel (-d) when using net, it could >>>reveal some nice information to help you out (and also help the >>>rest of us to help you). :-) > > Heres the output of "net rpc group list -d3 -S nuada" > using debug > -- > [2006/08/31 10:26:57, 3] param/loadparm.c:lp_load(4207) > lp_load: refreshing parameters > [2006/08/31 10:26:57, 3] param/loadparm.c:init_globals(1393) > Initialising global parameters > [2006/08/31 10:26:57, 3] param/params.c:pm_process(574) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2006/08/31 10:26:57, 3] param/loadparm.c:do_section(3662) > Processing section "[global]" > [2006/08/31 10:26:57, 2] lib/interface.c:add_interface(81) > added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 > [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_lmhosts(855) > resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> > [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(752) > resolve_wins: Attempting wins lookup for name nuada<0x20> > [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(755) > resolve_wins: WINS server resolution selected and no WINS servers listed. > [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_hosts(917) > resolve_hosts: Attempting host lookup for name nuada<0x20> > Password: > [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_start_connection(1389) > Connecting to host=nuada > [2006/08/31 10:27:02, 3] lib/util_sock.c:open_socket_out(870) > Connecting to 160.6.1.102 at port 445 > [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) > Doing spnego session setup (blob length=58) > [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735) > got OID=1 3 6 1 4 1 311 2 2 10 > [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(744) > got principal=NONE > [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(929) > Got challenge flags: > [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60890215 > [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(951) > NTLMSSP: Set final flags: > [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > [2006/08/31 10:27:02, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) > NTLMSSP Sign/Seal - Initialising with flags: > [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine nuada pipe \lsarpc fnum 0x7624 bind > request returned ok. > [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine nuada pipe \samr fnum 0x7625 bind > request returned ok. > [2006/08/31 10:27:03, 2] utils/net.c:main(878) > return code = 0 > --- > > and for "net rpc info -d3 -S nuada" > - > [2006/08/31 10:28:27, 3] param/loadparm.c:lp_load(4207) > lp_load: refreshing parameters > [2006/08/31 10:28:27, 3] param/loadparm.c:init_globals(1393) > Initialising global parameters > [2006/08/31 10:28:27, 3] param/params.c:pm_process(574) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2006/08/31 10:28:27, 3] param/loadparm.c:do_section(3662) > Processing section "[global]" > [2006/08/31 10:28:27, 2] lib/interface.c:add_interface(81) > added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 > [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_lmhosts(855) > resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> > [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(752) > resolve_wins: Attempting wins lookup for name nuada<0x20> > [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(755) > resolve_wins: WINS server resolution selected and no WINS servers listed. > [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_hosts(917) > resolve_hosts: Attempting host lookup for name nuada<0x20> > [2006/08/31 10:28:27, 3] libsmb/cliconnect.c:cli_start_connection(1389) > Connecting to host=nuada > [2006/08/31 10:28:27, 3] lib/util_sock.c:open_socket_out(870) > Connecting to 160.6.1.102 at port 445 > [2006/08/31 10:28:28, 3
Re: [Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > On 08/28/2006 09:49 AM, Diarmuid Bourke escreveu: > > Hi, > > Our Samba Groups appear to have vanished. > > > > I've verified this by trying, "net group /domain" in windows and it > > returns no results. Trying "net rpc group -S nuada" on our master server > > returns nothing either. > > "net rpc info" on both our master and backup return > > > > Domain Name: DIAS > > Domain SID: S-1-5-21-463069746-3761697030-3888642000 > > Sequence number: 1156762378 > > Num users: 63 > > Num domain groups: 0 > > Num local groups: 0 > Try improve the debuglevel (-d) when using net, it could > reveal some nice information to help you out (and also help the > rest of us to help you). :-) Heres the output of "net rpc group list -d3 -S nuada" using debug - -- [2006/08/31 10:26:57, 3] param/loadparm.c:lp_load(4207) lp_load: refreshing parameters [2006/08/31 10:26:57, 3] param/loadparm.c:init_globals(1393) Initialising global parameters [2006/08/31 10:26:57, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/08/31 10:26:57, 3] param/loadparm.c:do_section(3662) Processing section "[global]" [2006/08/31 10:26:57, 2] lib/interface.c:add_interface(81) added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name nuada<0x20> [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2006/08/31 10:26:57, 3] libsmb/namequery.c:resolve_hosts(917) resolve_hosts: Attempting host lookup for name nuada<0x20> Password: [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_start_connection(1389) Connecting to host=nuada [2006/08/31 10:27:02, 3] lib/util_sock.c:open_socket_out(870) Connecting to 160.6.1.102 at port 445 [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) Doing spnego session setup (blob length=58) [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735) got OID=1 3 6 1 4 1 311 2 2 10 [2006/08/31 10:27:02, 3] libsmb/cliconnect.c:cli_session_setup_spnego(744) got principal=NONE [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(929) Got challenge flags: [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60890215 [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(951) NTLMSSP: Set final flags: [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 [2006/08/31 10:27:02, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) NTLMSSP Sign/Seal - Initialising with flags: [2006/08/31 10:27:02, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine nuada pipe \lsarpc fnum 0x7624 bind request returned ok. [2006/08/31 10:27:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine nuada pipe \samr fnum 0x7625 bind request returned ok. [2006/08/31 10:27:03, 2] utils/net.c:main(878) return code = 0 - --- and for "net rpc info -d3 -S nuada" - - [2006/08/31 10:28:27, 3] param/loadparm.c:lp_load(4207) lp_load: refreshing parameters [2006/08/31 10:28:27, 3] param/loadparm.c:init_globals(1393) Initialising global parameters [2006/08/31 10:28:27, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/08/31 10:28:27, 3] param/loadparm.c:do_section(3662) Processing section "[global]" [2006/08/31 10:28:27, 2] lib/interface.c:add_interface(81) added interface ip=160.6.1.26 bcast=160.6.1.255 nmask=255.255.255.0 [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name nuada<0x20> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name nuada<0x20> [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2006/08/31 10:28:27, 3] libsmb/namequery.c:resolve_hosts(917) resolve_hosts: Attempting host lookup for name nuada<0x20> [2006/08/31 10:28:27, 3] libsmb/cliconnect.c:cli_start_connection(1389) Connecting to host=nuada [2006/08/31 10:28:27, 3] lib/util_sock.c:open_socket_out(870) Connecting to 160.6.1.102 at port 445 [2006/08/31 10:28:28, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine nuada pipe \lsarpc fnum 0x76f4 bind request returned ok. [2006/08/31 10:28:28, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bin
Re: [Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/28/2006 09:49 AM, Diarmuid Bourke escreveu: > Hi, > Our Samba Groups appear to have vanished. > > I've verified this by trying, "net group /domain" in windows and it > returns no results. Trying "net rpc group -S nuada" on our master server > returns nothing either. > "net rpc info" on both our master and backup return > > Domain Name: DIAS > Domain SID: S-1-5-21-463069746-3761697030-3888642000 > Sequence number: 1156762378 > Num users: 63 > Num domain groups: 0 > Num local groups: 0 Try improve the debuglevel (-d) when using net, it could reveal some nice information to help you out (and also help the rest of us to help you). :-) > Groups used work until recently and they exist in our ldap database. We > have a primary domain controller with the master ldap database on it and > a backup domain controller with a slave ldap database on it. Our version > of samba is Version 3.0.23 and openldap is 2.3.24 Any special event between it working and non-working status? Maybe a power failure, disk failure, system upgrade, LDAP changes, anything... > and below are the relevant sections of smb.conf from our PDC [...] > Trying an ldapsearch to show groups exist in ldap returns.. > > ldapsearch -x -b cn=geotech,ou=group,dc=cp,dc=dias,dc=ie > > dn: cn=geotech,ou=group,dc=cp,dc=dias,dc=ie > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: geotech > gidNumber: 1932 > sambaSID: S-1-5-21-463069746-3761697030-3888642000-4865 > sambaGroupType: 2 > displayName: geotech > memberUid: lcollins > memberUid: choran > memberUid: seismo So, as I understood, the group *is* there. :-) Could you try to check 'net groupmap' man page section, it perhaps could give you more info (do not forget about the debuglevel). > I've cut out configuration statements for > briefness but if you need them I can post them. Thanks in advance. > Diarmuid Hope this helps. Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFE8wFtCj65ZxU4gPQRAi2yAJ9QVpYGWH4WLJ1ZH7uk2+XrzgybeQCcDf8Q /NAkcAyoZ+8mB+soe+y9CPM= =FcTi -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Groups Vanished
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Our Samba Groups appear to have vanished. I've verified this by trying, "net group /domain" in windows and it returns no results. Trying "net rpc group -S nuada" on our master server returns nothing either. "net rpc info" on both our master and backup return Domain Name: DIAS Domain SID: S-1-5-21-463069746-3761697030-3888642000 Sequence number: 1156762378 Num users: 63 Num domain groups: 0 Num local groups: 0 Groups used work until recently and they exist in our ldap database. We have a primary domain controller with the master ldap database on it and a backup domain controller with a slave ldap database on it. Our version of samba is Version 3.0.23 and openldap is 2.3.24 and below are the relevant sections of smb.conf from our PDC [global] workgroup = DIAS netbios name = NUADA preferred master = Yes domain master = Yes local master = Yes passdb backend = ldapsam:ldap://127.0.0.1 # User pass configuration security = user encrypt passwords = true # LDAP Configuration domain logons = Yes wins support = Yes ldap suffix = dc=cp,dc=dias,dc=ie ldap machine suffix = ou=people ldap user suffix = ou=people ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap admin dn = cn=samba,ou=specialusers,dc=cp,dc=dias,dc=ie idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 map acl inherit = Yes - Trying an ldapsearch to show groups exist in ldap returns.. ldapsearch -x -b cn=geotech,ou=group,dc=cp,dc=dias,dc=ie dn: cn=geotech,ou=group,dc=cp,dc=dias,dc=ie objectClass: posixGroup objectClass: sambaGroupMapping cn: geotech gidNumber: 1932 sambaSID: S-1-5-21-463069746-3761697030-3888642000-4865 sambaGroupType: 2 displayName: geotech memberUid: lcollins memberUid: choran memberUid: seismo - - I've cut out configuration statements for briefness but if you need them I can post them. Thanks in advance. Diarmuid -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8uZb3VcUOgGPPMMRAokOAJ9DKKAH2+VLKG5kYuuH8KAqKuegdQCeLnPd vozAd5x7JDuw/tcD9hF1ec8= =Uvi/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba groups and LDAP, and printer question
Hi, Is it possible for me to add @Some_Group as a memberUID for a Samba group mapping? Will it expand that @Some_Group to include all the members of that group in this group? Another question -- is there a way to make everyone able to add printers to their local workstation, but not be able to delete other people's jobs from the print queue? It seems sort of all-or-nothing. Is this a group policy thing instead? I hope I can do it from within Samba. :) Thanks, Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba & Groups
Admins, I am working on an issue with Rational Clearcase with Samba as a PDC. I am new to Samba and learning fast :) Could anyone help me with finding information on how Samba uses group(s) functionality with Unix and NT? I really am looking for information on how samba handles groups from the NT side. Thank you and I appreciate you supporting my learning. Brandon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: OT: RE: [Samba] Samba groups
On Wed, 2004-01-07 at 07:21, Jason Balicki wrote: > >If you are going to use LDAP - you need to learn, feel comfortable and > >use LDAP --- first > > While we're sort of on the subject, can you reccomend any decent > LDAP books? --- I learned the most from LDAP Systems Administration by Gerald Carter - apparently the one and the same HP Gerald Carter from this list. I would not say that it is comprehensive - it is not. It is instructive and that was the important thing. The comprehensive learning commences after you get the basic LDAP system in place and learn how to do basic 'posixAccount' unix authentication. Once you've got that figured out, going back and figuring out how to make it work with samba, the smbldap tools is a whole lot easier. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
OT: RE: [Samba] Samba groups
>If you are going to use LDAP - you need to learn, feel comfortable and >use LDAP --- first While we're sort of on the subject, can you reccomend any decent LDAP books? Thanks, --J(K) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba groups
On Tue, 2004-01-06 at 20:16, Jamrock wrote: > Can anyone point me to a step by step tutorial on setting up groups in Samba > 3.x? I am using OpenLDAP as the user database. > Any pointers from personal experience would also be welcome. :) > --- If you are going to use LDAP - you need to learn, feel comfortable and use LDAP --- first from experience, integrating samba into LDAP is the hardest thing you will ever do if you don't have the concept of LDAP authentication down. After that, samba is a piece of cake. LDIF's won't show you anything Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba groups
Can anyone point me to a step by step tutorial on setting up groups in Samba 3.x? I am using OpenLDAP as the user database. I have read the How To, googled and read articles. I have read about net groupmap, net getlocalsid, RIDS, gidNumbers, and all of that fun stuff. However, I need some info. to tie the whole thing together. Some sample ldif files would be nice too. Everything that I have read so far assumes a fairly deep level of knowledge. Any pointers from personal experience would also be welcome. :) Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba groups problem
I feel stupid now .. but never mind. I found the 'problem'. I forgot to map the global groups. cheers, sergio On Thu, 2003-12-04 at 14:41, Sergio Pereira wrote: > Hi folks, > > I'm running samba 3.0.0-2 (binary version) on rh9 with ldapsam as > backend. So, all my groups, users are in my ldap database and the > authentication is working just fine. My problem is with groups, from > windows xp pro client I'm trying to add to a local group 'Power Users' > the global group 'Domain Users' but I can see just the users from my > workstations (winxp pro). Checking others local groups like > 'Administrators' I can see local users as Administrator and a > '?'+'SID'+512 (for example: > ?S-1-5-21-3774164490-1836102861-1491414457-512) and nothing else. > > I've tried to add users to global group 'Domain Admins' but when logged > on any workstation the rights doesn't work either. Again, I can add > users (dom\user) with no problem but I can't do the same thing with > global groups. > Any idea on this?? > > here's my smb.conf > ---xxx--- > [global] > workgroup = DOM.CA > netbios name = PDC > server string = SAMBA-LDAP > passdb backend = ldapsam:ldap://ldap.dom.ca > passwd program = /usr/bin/smbpasswd %u > passwd chat = *New*SMB*password:* %n\n *Retype*new*SMB*password* > %n\n > log level = 5 ; remember to lower the log level in real life :-) > log file = /var/log/samba/%m.log > max log size = 0 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > add user script = /usr/local/sbin/smbldap-useradd.pl -w %u > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap suffix = dc=dom,dc=ca > ldap machine suffix = dc=dom,dc=ca > ldap user suffix = dc=dom,dc=ca > ldap group suffix = dc=dom,dc=ca > ldap idmap suffix = dc=dom,dc=ca > ldap admin dn = cn=manager,dc=dom,dc=ca > ldap ssl = start tls > ldap passwd sync = Yes > printing = cups > > [homes] > comment = Home Directories > read only = No > create mask = 0664 > directory mask = 0700 > browseable = No > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = Yes > > [profiles] > path = /home/samba/profiles > read only = No > create mask = 0600 > directory mask = 0700 > guest ok = Yes > profile acls = Yes > csc policy = disable > > ---xxx--- > > cheers, > > sergio -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba groups problem
Hi folks, I'm running samba 3.0.0-2 (binary version) on rh9 with ldapsam as backend. So, all my groups, users are in my ldap database and the authentication is working just fine. My problem is with groups, from windows xp pro client I'm trying to add to a local group 'Power Users' the global group 'Domain Users' but I can see just the users from my workstations (winxp pro). Checking others local groups like 'Administrators' I can see local users as Administrator and a '?'+'SID'+512 (for example: ?S-1-5-21-3774164490-1836102861-1491414457-512) and nothing else. I've tried to add users to global group 'Domain Admins' but when logged on any workstation the rights doesn't work either. Again, I can add users (dom\user) with no problem but I can't do the same thing with global groups. Any idea on this?? here's my smb.conf ---xxx--- [global] workgroup = DOM.CA netbios name = PDC server string = SAMBA-LDAP passdb backend = ldapsam:ldap://ldap.dom.ca passwd program = /usr/bin/smbpasswd %u passwd chat = *New*SMB*password:* %n\n *Retype*new*SMB*password* %n\n log level = 5 ; remember to lower the log level in real life :-) log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/local/sbin/smbldap-useradd.pl -w %u domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap suffix = dc=dom,dc=ca ldap machine suffix = dc=dom,dc=ca ldap user suffix = dc=dom,dc=ca ldap group suffix = dc=dom,dc=ca ldap idmap suffix = dc=dom,dc=ca ldap admin dn = cn=manager,dc=dom,dc=ca ldap ssl = start tls ldap passwd sync = Yes printing = cups [homes] comment = Home Directories read only = No create mask = 0664 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes csc policy = disable ---xxx--- cheers, sergio -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : Re: Réf. : Re: [Samba] SAMBA Groups and Permissions
damn now everything works samba recognises user "test_user" in group "users" AND "kids" i dunno why ?!?!!? i did nothing, i just removed "valid users" from this share and reloaded smb-conf...nothing special ! if i could reproduce it, it would be better then seeing it working now and not knowing why but thx very much for your patiance greez [EMAIL PROTECTED] wrote: what samba log says ? --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Michael Gasch <[EMAIL PROTECTED]> Envoyé par : Pour : [EMAIL PROTECTED] [EMAIL PROTECTED]cc : .samba.org Objet : Re: Réf. : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 12:34 > Samba is compiled with acl support option ? yes it is, i can e.g. set ACL's in windows clients on samba shares but i think, that's not the fact permissions are checked not via samba! samba just asks the FS/posix-side, if it can access "share" with uid/gid xxx greez [EMAIL PROTECTED] wrote: Samba is compiled with acl support option ? ./configure --with-acl-support --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Michael Gasch <[EMAIL PROTECTED]> Envoyé par : Pour : [EMAIL PROTECTED] [EMAIL PROTECTED] cc : .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 12:21 hi, sorry, if i was too unprecise... of course i'm working with acl's - otherwise i could hardly define those fine granulated rules this is, what getfacls on /home/board gives: ~# getfacl /home/board # file: home/board # owner: root # group: root user::rwx group::r-x group:kids:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:kids:r-x default:mask::r-x default:other::--- for some reasons, i don't want to work with "valid users" parameter, especially while working with scripts so this solution doesn't meet my expectations (as i already mentioned) the problem is on the samba-side on unix-side the user "test_user" has access on /home/board, cause he's in group "kids", too but samba just recognised group "users" for "test_user" because sambaPrimaryGroupSID maps to -> "users" so samba establishes a connection as user "testuser" / group "users", which fails because of my restrictive acl :/ so: is "valid users" my only chance? no way of adding more GroupSIDs for samba-users in LDAP, that samba recognises, that user "test_user" is in more than one group ? i mean: unix-side sees this... ~# id test_user uid=596(test_user) gid=500(users) groups=500(users),522(kids) thx for your help!!! greez [EMAIL PROTECTED] wrote: I confirm that Malte Müller says. If you want to set multiple group acces, you must use ACL. the valid user parameter in smb.conf force the right of directory but the unix right is only for group user. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] Envoyé par : Pour : "Michael Gasch" <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc :[EMAIL PROTECTED] .samba.org Objet : Re: [Samba] SAMBA Groups and Permis
Re: Réf. : Re: [Samba] SAMBA Groups and Permissions
> Samba is compiled with acl support option ? yes it is, i can e.g. set ACL's in windows clients on samba shares but i think, that's not the fact permissions are checked not via samba! samba just asks the FS/posix-side, if it can access "share" with uid/gid xxx greez [EMAIL PROTECTED] wrote: Samba is compiled with acl support option ? ./configure --with-acl-support --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Michael Gasch <[EMAIL PROTECTED]> Envoyé par : Pour : [EMAIL PROTECTED] [EMAIL PROTECTED]cc : .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 12:21 hi, sorry, if i was too unprecise... of course i'm working with acl's - otherwise i could hardly define those fine granulated rules this is, what getfacls on /home/board gives: ~# getfacl /home/board # file: home/board # owner: root # group: root user::rwx group::r-x group:kids:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:kids:r-x default:mask::r-x default:other::--- for some reasons, i don't want to work with "valid users" parameter, especially while working with scripts so this solution doesn't meet my expectations (as i already mentioned) the problem is on the samba-side on unix-side the user "test_user" has access on /home/board, cause he's in group "kids", too but samba just recognised group "users" for "test_user" because sambaPrimaryGroupSID maps to -> "users" so samba establishes a connection as user "testuser" / group "users", which fails because of my restrictive acl :/ so: is "valid users" my only chance? no way of adding more GroupSIDs for samba-users in LDAP, that samba recognises, that user "test_user" is in more than one group ? i mean: unix-side sees this... ~# id test_user uid=596(test_user) gid=500(users) groups=500(users),522(kids) thx for your help!!! greez [EMAIL PROTECTED] wrote: I confirm that Malte Müller says. If you want to set multiple group acces, you must use ACL. the valid user parameter in smb.conf force the right of directory but the unix right is only for group user. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] Envoyé par : Pour : "Michael Gasch" <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc :[EMAIL PROTECTED] .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 11:41 I am not shure if i got you right. You do not tell us the access rights of the directory concerned. If you'r primary uninx group is user and your dir. has: drwx---rwx root user board they forbid your access. then you are not allowed to access, because group rights match first and If you weren't user but world, then you would be allowed. This has nothing to do with samba. You might want to change the group to nogroup and work with acls (if ext3, XFS and alike). Or if you have plenty of CPU-cycles to waste you might work with "valid users" in smb.conf. But i'm not a security or filesystem-expert and may be completely wrong. Kind regards, Malte Müller hi i have a user ~# id test_user uid=500,gid=500 (users),groups (users,kids) as you can see, this user is in primary group "users" and also member of group "
Re: [Samba] SAMBA Groups and Permissions
hi, sorry, if i was too unprecise... of course i'm working with acl's - otherwise i could hardly define those fine granulated rules this is, what getfacls on /home/board gives: ~# getfacl /home/board # file: home/board # owner: root # group: root user::rwx group::r-x group:kids:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:kids:r-x default:mask::r-x default:other::--- for some reasons, i don't want to work with "valid users" parameter, especially while working with scripts so this solution doesn't meet my expectations (as i already mentioned) the problem is on the samba-side on unix-side the user "test_user" has access on /home/board, cause he's in group "kids", too but samba just recognised group "users" for "test_user" because sambaPrimaryGroupSID maps to -> "users" so samba establishes a connection as user "testuser" / group "users", which fails because of my restrictive acl :/ so: is "valid users" my only chance? no way of adding more GroupSIDs for samba-users in LDAP, that samba recognises, that user "test_user" is in more than one group ? i mean: unix-side sees this... ~# id test_user uid=596(test_user) gid=500(users) groups=500(users),522(kids) thx for your help!!! greez [EMAIL PROTECTED] wrote: I confirm that Malte Müller says. If you want to set multiple group acces, you must use ACL. the valid user parameter in smb.conf force the right of directory but the unix right is only for group user. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] Envoyé par : Pour : "Michael Gasch" <[EMAIL PROTECTED]> [EMAIL PROTECTED]cc :[EMAIL PROTECTED] .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 11:41 I am not shure if i got you right. You do not tell us the access rights of the directory concerned. If you'r primary uninx group is user and your dir. has: drwx---rwx root user board they forbid your access. then you are not allowed to access, because group rights match first and If you weren't user but world, then you would be allowed. This has nothing to do with samba. You might want to change the group to nogroup and work with acls (if ext3, XFS and alike). Or if you have plenty of CPU-cycles to waste you might work with "valid users" in smb.conf. But i'm not a security or filesystem-expert and may be completely wrong. Kind regards, Malte Müller hi i have a user ~# id test_user uid=500,gid=500 (users),groups (users,kids) as you can see, this user is in primary group "users" and also member of group "kids" if he tries to access /home/board via smb (Samba 3.0 + openldap) from a windows client (XP), he fails, because his sambaPrimaryGroupSID maps to -> "users" and /home/board is not accessible for group "users" - just for "kids" if i add valid users = @kids to /home/board - share, access is granted isn't it possible in samba, that the user "test_user" gets an attribute like sambaSecondaryGroup in ldap so that samba knows: "this user is in group users AND kids, so i have to try connections to share /home/board as group users AND kids" ??? if i login locally to the samba PDC with a console as "test_user", access to /home/board is granted, 'cause i'm member of "kids" so there's no permission problem please help me !!! greez -- To unsubscribe from this list go to the follow
Réf. : Re: [Samba] SAMBA Groups and Permissions
Samba is compiled with acl support option ? ./configure --with-acl-support --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Michael Gasch <[EMAIL PROTECTED]> Envoyé par : Pour : [EMAIL PROTECTED] [EMAIL PROTECTED]cc : .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 12:21 hi, sorry, if i was too unprecise... of course i'm working with acl's - otherwise i could hardly define those fine granulated rules this is, what getfacls on /home/board gives: ~# getfacl /home/board # file: home/board # owner: root # group: root user::rwx group::r-x group:kids:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:kids:r-x default:mask::r-x default:other::--- for some reasons, i don't want to work with "valid users" parameter, especially while working with scripts so this solution doesn't meet my expectations (as i already mentioned) the problem is on the samba-side on unix-side the user "test_user" has access on /home/board, cause he's in group "kids", too but samba just recognised group "users" for "test_user" because sambaPrimaryGroupSID maps to -> "users" so samba establishes a connection as user "testuser" / group "users", which fails because of my restrictive acl :/ so: is "valid users" my only chance? no way of adding more GroupSIDs for samba-users in LDAP, that samba recognises, that user "test_user" is in more than one group ? i mean: unix-side sees this... ~# id test_user uid=596(test_user) gid=500(users) groups=500(users),522(kids) thx for your help!!! greez [EMAIL PROTECTED] wrote: > I confirm that Malte Müller says. > If you want to set multiple group acces, you must use ACL. > the valid user parameter in smb.conf force the right of directory but the > unix right is only for group user. > > > > > > --- > Stéphane PURNELLE [EMAIL PROTECTED] > Service Informatique Corman S.A. Tel : 00 32 087/342467 > > > > [EMAIL PROTECTED] > Envoyé par : Pour : "Michael Gasch" <[EMAIL PROTECTED]> > [EMAIL PROTECTED] cc :[EMAIL PROTECTED] > .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions > > > 04/12/2003 11:41 > > > > > > > I am not shure if i got you right. You do not tell us the access rights of > the directory concerned. > If you'r primary uninx group is user and your dir. has: > drwx---rwx root user board > they forbid your access. then you are not allowed to access, because group > rights match first and If you weren't user but world, then you would be > allowed. This has nothing to do with samba. > You might want to change the group to nogroup and work with acls (if ext3, > XFS and alike). Or if you have plenty of CPU-cycles to waste you might > work with "valid users" in smb.conf. > But i'm not a security or filesystem-expert and may be completely wrong. > > Kind regards, > Malte Müller > > >>hi >> >>i have a user >> >>~# id test_user >>uid=500,gid=500 (users),groups (users,kids) >> >>as you can see, this user is in primary group "users" and also member of >>group "kids" >>
Re: [Samba] SAMBA Groups and Permissions
Il 4 Dec 2003 alle 10:21 Michael Gasch immise in rete > so that samba knows: "this user is in group users AND kids, so i have > to try connections to share /home/board as group users AND kids" ??? this is the main [97%] reason why all file servers here are win2000 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: [Samba] SAMBA Groups and Permissions
I confirm that Malte Müller says. If you want to set multiple group acces, you must use ACL. the valid user parameter in smb.conf force the right of directory but the unix right is only for group user. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] Envoyé par : Pour : "Michael Gasch" <[EMAIL PROTECTED]> [EMAIL PROTECTED]cc :[EMAIL PROTECTED] .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions 04/12/2003 11:41 I am not shure if i got you right. You do not tell us the access rights of the directory concerned. If you'r primary uninx group is user and your dir. has: drwx---rwx root user board they forbid your access. then you are not allowed to access, because group rights match first and If you weren't user but world, then you would be allowed. This has nothing to do with samba. You might want to change the group to nogroup and work with acls (if ext3, XFS and alike). Or if you have plenty of CPU-cycles to waste you might work with "valid users" in smb.conf. But i'm not a security or filesystem-expert and may be completely wrong. Kind regards, Malte Müller > hi > > i have a user > > ~# id test_user > uid=500,gid=500 (users),groups (users,kids) > > as you can see, this user is in primary group "users" and also member of > group "kids" > > if he tries to access /home/board via smb (Samba 3.0 + openldap) from a > windows client (XP), he fails, because his > > sambaPrimaryGroupSID maps to -> "users" > > and /home/board is not accessible for group "users" - just for "kids" > if i add > > valid users = @kids > > to /home/board - share, access is granted > > isn't it possible in samba, that the user "test_user" gets an attribute > like > > sambaSecondaryGroup in ldap > > so that samba knows: "this user is in group users AND kids, so i have to > try connections to share /home/board as group users AND kids" ??? > > if i login locally to the samba PDC with a console as "test_user", > access to /home/board is granted, 'cause i'm member of "kids" > > so there's no permission problem > > please help me !!! > > greez > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Groups and Permissions
I am not shure if i got you right. You do not tell us the access rights of the directory concerned. If you'r primary uninx group is user and your dir. has: drwx---rwx root user board they forbid your access. then you are not allowed to access, because group rights match first and If you weren't user but world, then you would be allowed. This has nothing to do with samba. You might want to change the group to nogroup and work with acls (if ext3, XFS and alike). Or if you have plenty of CPU-cycles to waste you might work with "valid users" in smb.conf. But i'm not a security or filesystem-expert and may be completely wrong. Kind regards, Malte Müller > hi > > i have a user > > ~# id test_user > uid=500,gid=500 (users),groups (users,kids) > > as you can see, this user is in primary group "users" and also member of > group "kids" > > if he tries to access /home/board via smb (Samba 3.0 + openldap) from a > windows client (XP), he fails, because his > > sambaPrimaryGroupSID maps to -> "users" > > and /home/board is not accessible for group "users" - just for "kids" > if i add > > valid users = @kids > > to /home/board - share, access is granted > > isn't it possible in samba, that the user "test_user" gets an attribute > like > > sambaSecondaryGroup in ldap > > so that samba knows: "this user is in group users AND kids, so i have to > try connections to share /home/board as group users AND kids" ??? > > if i login locally to the samba PDC with a console as "test_user", > access to /home/board is granted, 'cause i'm member of "kids" > > so there's no permission problem > > please help me !!! > > greez > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA Groups and Permissions
hi i have a user ~# id test_user uid=500,gid=500 (users),groups (users,kids) as you can see, this user is in primary group "users" and also member of group "kids" if he tries to access /home/board via smb (Samba 3.0 + openldap) from a windows client (XP), he fails, because his sambaPrimaryGroupSID maps to -> "users" and /home/board is not accessible for group "users" - just for "kids" if i add valid users = @kids to /home/board - share, access is granted isn't it possible in samba, that the user "test_user" gets an attribute like sambaSecondaryGroup in ldap so that samba knows: "this user is in group users AND kids, so i have to try connections to share /home/board as group users AND kids" ??? if i login locally to the samba PDC with a console as "test_user", access to /home/board is granted, 'cause i'm member of "kids" so there's no permission problem please help me !!! greez -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba groups
Hi Everyone :) I'm running Samba-2.2.8a on two PC'S. One PC call POSTA runs as a PDC. workgroup = SAMBANET netbios name = POSTA server string = Samba Server bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes The second runs as a domain client workgroup = SAMBANET netbios name = ROBERTO-UX server string = Samba Client security = DOMAIN encrypt passwords = Yes obey pam restrictions = Yes pam password change = Yes I have winbind running on the client only. I've created 3 groups: Installation, storage and anonymous. I added myself (user:roberto) to each group. Than in a samba share, I added valid user @(each group). In doing so, I'm assuming that each group is a Global/Domain Group when I do wbinfo -g, I get the following [EMAIL PROTECTED] root]# /usr/local/samba/bin/wbinfo -g SAMBANET\Domain Admins SAMBANET\Domain Users Am I know supposed to see my three groups (Installation, storage and anonymous) I guess this is related, when I do a getent group, I do not see my 3 "Domain Groups" Second question. When I do a getent passwd, I see the all users, including those of my PDC SAMBANET. Yet when I do the following: [EMAIL PROTECTED] root]# /usr/local/samba/bin/wbinfo -s SAMBANET+roberto%barnburner Could not lookup sid SAMBANET+roberto%barnburner I can not log from my client computer using a domain user/password. Can anyone suggest where I'm going wrong? Thank You Roberto -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba