Hopefully I can write this out so someone understands it.
We are currently running a number of Solaris servers, to which windows computers need to connect. Currently they connect via NFS using hummingbird's NFS client. This requires them to have a separate unix account along with their windows account.
Our idea is to implement samba 3.0.0 to eliminate that NFS client.
My current problems are:
#1, when I mount my share (in either windows or unix using smbclient), I
am not getting the proper permissions. We have a group (lets call it
happy) in both unix, and in our windows domain. with winbind, the
domain\happy group obviously isn't getting the same GID as the unix
happy group. the share we are working on is 0775, so I can't write to
it when I connect using my domain acct. in net groupmap a mapping for
the group domain\happy = happy, and in my username.map file, I have * =
domain\*. What else do I need to setup to get this working? using
getent group I only get one group in my domain, but when I run wbinfo -g
I get the full list. getent passwd gets me all the users in the domain,
so I don't understand what is so broken about groups.
#2, when I have something mounted, and I run smbstatus (or click status
from swat), it will just hang where it is finding who is connected.
Here is a copy of my smb.conf file. hopefully it will help someone figure this out. yes winbind is running, and it has a computer account in the domain. wbinfo works. ntlm_auth works. So I know I'm close, but I just can't figure out this last part. and yes, I do need that many uid's if I have to use winbind enum users = yes
[global] workgroup = ourdomain netbios name = BOXEN server string = Samba %v on %L security = DOMAIN password server = pdc username map = /usr/local/samba/lib/username.map username level = 2 log file = /var/log/samba/samba.%m max open files = 20000 load printers = No preferred master = No local master = No domain master = No kernel oplocks = No ldap ssl = no idmap uid = 10000-45000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes create mask = 0775 directory mask = 0775 mangled names = No oplocks = No level2 oplocks = No
[smbview] comment = viewstorage path = /smbview read only = No writable = yes
/smbview is 0775 and so are all the files in it. All i need to do is get users that authenticate via samba to get the proper group assigned when they connect.
Thanks for any help! Mathew Granzow
I think that I have the same problem.
My setup :
- PDC on RH9 (Samba3 RPM + small Jeremy %S patch + remove of -g in Make to avoid crunching the disks), SAM on ldapsam. Works nice (I gave up FreeBSD 5.1).
- Member server on Solaris 9, Samba 3 + %S patch, using Winbind.
Winbind works quite nicely for users, ksh recognises ~user, I get the right conversions for SID to uid, uid to SID, and so on...
But not for groups.
In fact, I think that the group mapping code for winbind is a little bit too fast. Let me explain :
Here are my group definitions in LDIF format :
dn: cn=Domain Admins,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2025 gidNumber: 512 displayName: Domain Admins memberUid: Administrator memberUid: root memberUid: jerome memberUid: david sambaGroupType: 2 objectClass: posixGroup objectClass: sambaGroupMapping description: Local Unix group cn: Domain Admins
dn: cn=domusers,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2027 gidNumber: 513 displayName: Domain Users sambaGroupType: 2 memberUid: jerome memberUid: david memberUid: henri memberUid: mytest memberUid: mytest2 description: Utilisateurs du domaine objectClass: posixGroup objectClass: sambaGroupMapping cn: domusers
dn: cn=Domain Guests,ou=Groups, dc=dummy,dc=com sambaSID: S-1-5-21-3210478623-1080310788-3073812203-2029 gidNumber: 514 displayName: Domain Guests sambaGroupType: 2 objectClass: posixGroup objectClass: sambaGroupMapping description: Local Unix group cn: Domain Guests
Notice the gidNumbers, and the SID numbers, which are «dans la ligne du parti»:
sid-suffix = 1000 + gid*2 + 1
Now, let have a look to conversion when trying to resolve groups on the Solaris member server (with net rpc group list) :
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-3209628119-1617240125-1967951502-512) -> -1 Domain Guests (S-1-5-21-3209628119-1617240125-1967951502-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Users (S-1-5-21-3209628119-1617240125-1967951502-513) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Seems to me that the SID are a little bit mangled with gidNumbers...
This is all the information I have at hand for now, If you need more information, you'll have to wait until thrusday.
Regards,
Jérôme
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
