Using Samba 3.0.2 (specifically the samba-3.0.2-7.FC1 Fedora package) with LDAP as a passdb backend I'm encountering problems with Domain Groups. I have come across various postings, some to this list, with people that are experiencing similar problems. However I have not found any information as to the cause/solution. The problem is as follows. I have the following group configurations in LDAP:
Windows Domain accounts: dn: cn=Domain Guests,ou=Groups,o=potsdam.edu objectClass: posixGroup cn: Domain Guests gidNumber: 1000 dn: cn=Domain Admins,ou=Groups,o=potsdam.edu objectClass: posixGroup cn: Domain Admins gidNumber: 1001 dn: cn=Domain Users,ou=Groups,o=potsdam.edu objectClass: posixGroup cn: Domain Users gidNumber: 1002 Local Unix accounts: dn: cn=nobody,ou=Groups,o=potsdam.edu objectClass: posixGroup objectClass: sambaGroupMapping cn: nobody gidNumber: 99 sambaSID: S-1-5-21-688789465-4019127931-1496692998-514 sambaGroupType: 2 displayName: Domain Guests description: Local Unix group dn: cn=users,ou=Groups,o=potsdam.edu objectClass: posixGroup objectClass: sambaGroupMapping cn: users gidNumber: 100 sambaSID: S-1-5-21-688789465-4019127931-1496692998-513 sambaGroupType: 2 displayName: Domain Users description: Local Unix group dn: cn=wheel,ou=Groups,o=potsdam.edu objectClass: posixGroup objectClass: sambaGroupMapping cn: wheel gidNumber: 10 sambaSID: S-1-5-21-688789465-4019127931-1496692998-512 sambaGroupType: 2 displayName: Domain Admins description: Local Unix group If the user 'root' is added to samba/ldap and assigned to the "Domain Admins" domain group, then 'root' is allowed domain administrator access as it should be. If you create a new user account, say 'blinky', and add 'blinky' to the "Domain Admins" group, 'blinky' does not have full Domain Admin access. For example, 'blinky' cannot use the "USRMGR.EXE" administration tool, while root can without any problem. However, 'blinky' CAN remove a machine from the domain, but not add. I have done a seemingly exhaustive search for information regarding this problem to find no explicit explanation/solution. Packet captures did not produce any meaningful information for me personally. The logs have presented me with rather cryptic leads as to the problem. Googling for these errors presented me with a few similar cases, but no definite causes or solutions. Attached below is the output from the logs at debug levels 2 & 3 as they give different error information. Log for debug level 2: [2004/04/22 15:55:58, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: kuchytgj [2004/04/22 15:55:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697) init_group_from_ldap: Entry found for group: 10 [2004/04/22 15:55:58, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [kuchytgj] -> [kuchytgj] -> [kuchytgj] succeeded [2004/04/22 15:55:58, 2] lib/access.c:check_access(324) Allowed connection from (137.143.98.202) [2004/04/22 15:55:59, 2] smbd/server.c:exit_server(558) Closing connections [2004/04/22 15:55:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: kuchytgj [2004/04/22 15:55:59, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697) init_group_from_ldap: Entry found for group: 10 [2004/04/22 15:55:59, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [kuchytgj] -> [kuchytgj] -> [kuchytgj] succeeded [2004/04/22 15:55:59, 2] lib/access.c:check_access(324) Allowed connection from (137.143.98.202) [2004/04/22 15:55:59, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain DEVPOTSDAM -> S-1-5-21-688789465-4019127931-1496692998 [2004/04/22 15:55:59, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x00000211) [2004/04/22 15:55:59, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain DEVPOTSDAM -> S-1-5-21-688789465-4019127931-1496692998 [2004/04/22 15:55:59, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010) [2004/04/22 15:56:00, 2] smbd/server.c:exit_server(558) Log for debug level 3: [2004/04/22 15:43:11, 3] smbd/reply.c:reply_ulogoffX(1108) ulogoffX vuid=100 [2004/04/22 15:43:11, 3] smbd/process.c:process_smb(890) Transaction 41 of length 39 [2004/04/22 15:43:11, 3] smbd/process.c:switch_message(685) switch message SMBtdis (pid 13906) [2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/04/22 15:43:11, 3] smbd/service.c:close_cnum(887) dun210-12239 (137.143.98.202) closed connection to service IPC$ [2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to IPC$ [2004/04/22 15:43:11, 4] smbd/vfs.c:vfs_ChDir(654) vfs_ChDir to / [2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/04/22 15:43:11, 3] smbd/process.c:timeout_processing(1104) timeout_processing: End of file from client (client has disconnected). [2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/04/22 15:43:11, 2] smbd/server.c:exit_server(558) Closing connections [2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2004/04/22 15:43:11, 3] smbd/server.c:exit_server(601) Server exit (normal exit) I am not ruling out that the groups maybe mis-configured. I have encountered much debate/confusion regarding the proper set up of Domain to local group mapping in LDAP. Thank you in advance for your time, and any help you are able to provide. -- Greg -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba