samba 3.4.3 DC breaks Windows groups
in [Samba]
|
From: Gaiseric Vandal on 30 Nov 2009 18:00 I consolidated group entries as described in the previous post. By mistake, I initially set same SID for the "Domain Users" and "Domain Guests." So "net rpc user info someuser" would display the wrong output. I fixed this but had to my Samba 3.0.x BDC to get the update to stick. I also zapped all the *cache*.tdb files on that machine, which may have been a mistake. Initially the Samba 3.0.x BDC would not start. smb.conf had the "guest account = nobody" entry, which had worked in the past. However, the error logs that "nobody" no longer existed. I had to create an ldap/samba "smb_nobody" user and group and update smb.conf for "guest account = smb_nobody." At that point samba would start, however, I could not view or access either the samba server in network neighborhood, or access any shares via "net use..." or "smbclient ..." For the moment, I have reverted to the earlier smb.conf and disabled samba 3.4.x. My guess is that samba choked on loading groups that did not have a proper SID. I have about 230 unix/ldap groups and didn't want to have to create an explicit group mapping (SID entry) for each group. On 11/25/09 22:42, Gaiseric Vandal wrote: > I think I have found the problem: > > Samba 3.0.x looks for group mappings in the "ldap group suffix" param. On > my systems this is "ldap group suffix = ou=smb_groups." Regular unix > groups are just in ou=groups. Initially we had used NIS (then LDAP) for > unix groups, and had used tdbsam for the samba account backend. Group > mappings were also in tdb. When we moved to ldap backend, group mappings > were imported into ou=smb_groups. > > Samba 3.4.x reads thru the entire ldap tree. Since I have both > "cn=Domain Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group" > both with the same gidNumber, group membership processing fails. > > Therefore I think the solution will be to consolidate entries. For > example, > Replace cn=smb_domadmins,ou=group" with "cn=Domain > Administrators,ou=group" > Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to > "cn=Domain Administrators,ou=group" > Repeat for all the other mapped groups > Update smb.conf on the 3.0.x servers to use "ldap group suffix = > ou=group." > > > This is assuming of course that Solaris doesn't have problems with group > names with spaces. > > > > > -----Original Message----- > From: Gaiseric Vandal [mailto:gaiseric.vandal(a)gmail.com] > Sent: Wednesday, November 25, 2009 10:01 PM > To: samba(a)lists.samba.org > Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups > > I have done the following > > - Added index for sambaSID and other attributes as per the following > > http://wiki.samba.org/index.php/2.0:_Configuring_LDAP > > - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory > Server) with the 3.2 version > > - installed samba 3.4.3 packages from sun freeware to replace those I > compiled from from source. > > - Reindexed with "dsconf reindex -h ldapserver -t sambaSID > o=mydomain.com" > > Unfortunately did not resolve the group membership problem (i.e. a user > account only appears to be in its primary group ) > > > Querying the Samba 3.4.x BDC > > # net rpc user info Administrator -U Administrator -S BDC2 > Enter Administrator's password: > Domain Users > # > > > Querying the Samba 3.0.x PDC > > # net rpc user info Administrator -U Administrator -S PDC > Enter Administrator's password: > Domain Admins > Domain Users > # > > > As far as I can tell from the comments at the top of each ldif file, the > only change was the addition of sambaTrustedDomainPassword objectClasses. > > > > > On 11/25/09 03:41, Jan Wenzel wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Gaiseric Vandal schrieb: >> >> >>> I assume an index is not an actual LDAP attribute or object like >>> sambaSID but is more like a database index for optimizing searches? >>> >>> >> You're right :) But in some cases like substring search (samba searches >> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to >> get results. I don't know where to configure the indexes exactly in SDS, >> but I'm sure it is possible. >> >> >> >> >>> I use Sun's Directory Server (LDAP server) as the backend. I use >>> > Apache > >>> Directory Studio for managing objects and attributes with in ldap. I >>> should be able to use Sun's web-based console for creating the indexes. >>> >>> Is there something I need to specify in smb.conf to tell Samba to use >>> the index? >>> >>> >> Samba does not know anything about the configuration details of the LDAP >> server, >> it only talks LDAP - so it should instantly show groups when the index >> is present. >> >> >> >>> I also noticed that if I try to compile samba with Active Directory >>> support, configure fails with >>> >>> configure: error: Active Directory support requires ldap_initialize >>> >>> >> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if >> you have a linux system). >> >> >> >>> Since sun has ldap client support included in the OS I do not have >>> openldap installed. I don't need Active Directory but it makes me >>> suspect that there may be some other ldap compatibility issues when >>> using Sun ldap client vs Openldap client. >>> >>> >>> Thanks >>> >>> >> HTH >> Jan >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k >> WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN >> =4Old >> -----END PGP SIGNATURE----- >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
First
|
Prev
|
Pages: 1 2 Prev: probleme samba login domain Next: [Samba] Need proper steps for correct use of net setlocalsid |