samba 3.4.3 DC breaks Windows groups
in [Samba]
|
From: Gaiseric Vandal on 23 Nov 2009 22:10 On the assumption that Unix systems (solaris and linux) will not like spaces in names, I never created unix groups called "Domain Admins" and "Domain Users" etc. Instead I had created "smb_domadmins" and "smb_domusers" etc instead. I don't know if Windows systems actually pay attention to the name of the group (e.g. "Domain Admins") or just the SID (e.g. S-1-5-21-****-512.) We would have a similar issue with a group like "Human Resources" but not with "Marketing." On samba 3.0.x, setting "ldap group suffix" parameter is honored. On Samba 3.4.x it seems to be ignored- instead samba seems to read the entire ldap tree (or at least from the "ldap suffix" parameter down.) "pbedit -Lv Administrator" on samba 3.4 will then complain about duplicate entries BDC2# pdbedit -Lv Administrator smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: Administrator ldapsam_getgroup: Duplicate entries for filter (&(objectClass=sambaGroupMapping) (gidNumber=512)): count=2 Since in this case if have both of the following objects in ldap dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com objectClass: posixGroup objectClass: sambaGroupMapping objectClass: top cn: Domain Admins description: Domain Admins displayName: Domain Admins gidNumber: 512 sambaGroupType: 2 sambaSID: S-1-5-21-******-512 AND dn: cn=smb_domadmins,ou=group,o=mydomain.com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping objectClass: groupOfUniqueNames cn: domadmins description: domadmins displayName: domadmins gidNumber: 512 memberUid: Administrator .. sambaGroupType: 2 sambaSID: .... I also noticed the following Output from pdbedit on samba 3.4.x includes ldapsam_getgroup Output from pdbedit on samba 3.0.x includes init_group_from_ldap I am not sure if that is somehow related. Thanks -----Original Message----- From: Gaiseric Vandal [mailto:gaiseric.vandal(a)gmail.com] Sent: Monday, November 23, 2009 4:41 PM To: samba(a)lists.samba.org Subject: samba 3.4.3 DC breaks Windows groups I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. On BDC2, users do not appear to be in any groups beyond Domain Users. Group mapping seems OK on each DC. BDC2# net groupmap list Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests Administrators (S-xxxx-544) -> xxxx Users (S-xxxx-545) -> xxxx BDC2# The last two in the listing above were automatically created by winbind/idmap for a trusted domain. Unix level group memberships are OK BDC2# groups Administrator smb_domadmins smb_domusers BDC2# Windows/Samba level group memberships are not BDC2# net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users BDC2# BDC2# net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users BDC2# Same deal with regular users Nt. Not all unix groups are mapped to Windows groups. However I believe all required "well known" windows groups are. Ldap structure includes ou=people ou=group ou=smb_groups (where samba stores group mappings, ldap objectClass=sambaGroupMapping) You can verify machine PDC or BDC is being used by an Windows client with the "echo %LOGONSERVER%" command. If I logon as Domain Administrator to an XP or Win 2003 machine that is using BDC2, I will not have any Administrator privileges. smb.conf includes ldap group suffix = ou=smb_groups (When I converted from tdb to ldap backend, I already had unix groups in ldap and wasn't sure how stuff would import. I don't think existing groups or group mappings imported so I had to manually retype the "net group map commands." ) The "Domain Admins" sambaGroupMapping does include Administrator as a member. BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC MYDOMAIN\Administrator MYDOMAIN\jsmith BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2 Enter Administrator's password: MYDOMAIN\Administrator MYDOMAIN\jsmith Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 24 Nov 2009 11:40 I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap. I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize Since sun has ldap client support included in the OS I do not have openldap installed. I don't need Active Directory but it makes me suspect that there may be some other ldap compatibility issues when using Sun ldap client vs Openldap client. Thanks On 11/24/09 04:33, Jan Wenzel wrote: > Hi, you have to create a 'sub' index for sambaSID in your LDAP > configuration. The way samba searches for groups has been changed with > samba 3.2 and above. > > I think you also need to install the new schema to be able to create a > sub index. > > Greetings > Jan > > Gaiseric Vandal schrieb: > >> On the assumption that Unix systems (solaris and linux) will not like spaces >> in names, I never created unix groups called "Domain Admins" and "Domain >> Users" etc. Instead I had created "smb_domadmins" and "smb_domusers" etc >> instead. >> >> I don't know if Windows systems actually pay attention to the name of the >> group (e.g. "Domain Admins") or just the SID (e.g. S-1-5-21-****-512.) >> We would have a similar issue with a group like "Human Resources" but not >> with "Marketing." >> >> >> On samba 3.0.x, setting "ldap group suffix" parameter is honored. On Samba >> 3.4.x it seems to be ignored- instead samba seems to read the entire ldap >> tree (or at least from the "ldap suffix" parameter down.) "pbedit -Lv >> Administrator" on samba 3.4 will then complain about duplicate entries >> >> BDC2# pdbedit -Lv Administrator >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] >> smbldap_open_connection: connection opened >> ldap_connect_system: successful connection to the LDAP server >> init_sam_from_ldap: Entry found for user: Administrator >> ldapsam_getgroup: Duplicate entries for filter >> (&(objectClass=sambaGroupMapping) >> (gidNumber=512)): count=2 >> >> >> >> Since in this case if have both of the following objects in ldap >> >> dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com >> objectClass: posixGroup >> objectClass: sambaGroupMapping >> objectClass: top >> cn: Domain Admins >> description: Domain Admins >> displayName: Domain Admins >> gidNumber: 512 >> sambaGroupType: 2 >> sambaSID: S-1-5-21-******-512 >> >> AND >> >> dn: cn=smb_domadmins,ou=group,o=mydomain.com >> objectClass: top >> objectClass: posixGroup >> objectClass: sambaGroupMapping >> objectClass: groupOfUniqueNames >> cn: domadmins >> description: domadmins >> displayName: domadmins >> gidNumber: 512 >> memberUid: Administrator >> . >> sambaGroupType: 2 >> sambaSID: >> ... >> >> >> I also noticed the following >> >> Output from pdbedit on samba 3.4.x includes >> >> ldapsam_getgroup >> >> Output from pdbedit on samba 3.0.x includes >> >> init_group_from_ldap >> >> >> >> I am not sure if that is somehow related. >> >> Thanks >> >> >> >> >> >> >> >> -----Original Message----- >> From: Gaiseric Vandal [mailto:gaiseric.vandal(a)gmail.com] >> Sent: Monday, November 23, 2009 4:41 PM >> To: samba(a)lists.samba.org >> Subject: samba 3.4.3 DC breaks Windows groups >> >> I have the following setup: >> >> PDC: Samba 3.0.37 on Solaris 10 >> BDC1: Samba 3.0.37 on Solaris 10 >> BDC2: Samba 3.4.3 on Solaris 10 >> >> >> Samba 3.0.37 is the bundled version of Samba. >> Samba 3.4.3 is compiled from source. >> >> BDC2 is a recent addition to the network. >> All machine use LDAP as the backend for everything. They use winbind to >> handle a domain trust with another domain, but otherwise isn't needed. >> >> On BDC2, users do not appear to be in any groups beyond Domain Users. >> >> >> Group mapping seems OK on each DC. >> >> BDC2# net groupmap list >> Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins >> Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers >> Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests >> Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines >> Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc >> Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins >> Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins >> Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users >> Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests >> Administrators (S-xxxx-544) -> xxxx >> Users (S-xxxx-545) -> xxxx >> BDC2# >> >> The last two in the listing above were automatically created by >> winbind/idmap for a trusted domain. >> "sub index" >> >> >> Unix level group memberships are OK >> >> BDC2# groups Administrator >> smb_domadmins smb_domusers >> BDC2# >> >> Windows/Samba level group memberships are not >> >> BDC2# net rpc user info Administrator -U Administrator -S PDC >> Enter Administrator's password: >> Domain Admins >> Domain Users >> BDC2# >> >> >> BDC2# net rpc user info Administrator -U Administrator -S BDC2 >> Enter Administrator's password: >> Domain Users >> BDC2# >> >> >> Same deal with regular users >> >> >> >> Nt. Not all unix groups are mapped to Windows groups. However I >> believe all required "well known" windows groups are. >> >> Ldap structure includes >> ou=people >> ou=group >> ou=smb_groups (where samba stores group mappings, ldap >> objectClass=sambaGroupMapping) >> >> >> >> >> >> You can verify machine PDC or BDC is being used by an Windows client >> with the "echo %LOGONSERVER%" command. >> >> >> If I logon as Domain Administrator to an XP or Win 2003 machine that is >> using BDC2, I will not have any Administrator privileges. >> >> >> smb.conf includes >> ldap group suffix = ou=smb_groups >> >> >> (When I converted from tdb to ldap backend, I already had unix groups >> in ldap and wasn't sure how stuff would import. I don't think >> existing groups or group mappings imported so I had to manually retype >> the "net group map commands." ) >> >> The "Domain Admins" sambaGroupMapping does include Administrator as a >> member. >> >> >> >> BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC >> MYDOMAIN\Administrator >> MYDOMAIN\jsmith >> >> >> BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2 >> Enter Administrator's password: >> MYDOMAIN\Administrator >> MYDOMAIN\jsmith >> >> >> >> >> >> Thanks >> >> >> >> >> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 25 Nov 2009 13:20 I added the index. (The Sun DS Admin guide has pretty simple instructions on doing this.) I also added some additional indexes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP Unfortunately did not resolve the problem. It does look like I have the 3.0 schema installed. The samba source directory includes a 3.2 version. examples/LDAP/samba-schema-netscapeds5.x. (The Sun Directory server is derived from the Netscape DS.) I may try updating this off-hours. Thanks On 11/25/09 03:41, Jan Wenzel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gaiseric Vandal schrieb: > >> I assume an index is not an actual LDAP attribute or object like >> sambaSID but is more like a database index for optimizing searches? >> > You're right :) But in some cases like substring search (samba searches > i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to > get results. I don't know where to configure the indexes exactly in SDS, > but I'm sure it is possible. > > > >> I use Sun's Directory Server (LDAP server) as the backend. I use Apache >> Directory Studio for managing objects and attributes with in ldap. I >> should be able to use Sun's web-based console for creating the indexes. >> >> Is there something I need to specify in smb.conf to tell Samba to use >> the index? >> > Samba does not know anything about the configuration details of the LDAP > server, > it only talks LDAP - so it should instantly show groups when the index > is present. > > >> I also noticed that if I try to compile samba with Active Directory >> support, configure fails with >> >> configure: error: Active Directory support requires ldap_initialize >> > I would prefer to use the prebuilt linux packages from ftp.sernet.de (if > you have a linux system). > > >> Since sun has ldap client support included in the OS I do not have >> openldap installed. I don't need Active Directory but it makes me >> suspect that there may be some other ldap compatibility issues when >> using Sun ldap client vs Openldap client. >> >> >> Thanks >> > HTH > Jan > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k > WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN > =4Old > -----END PGP SIGNATURE----- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 25 Nov 2009 22:10 I have done the following - Added index for sambaSID and other attributes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory Server) with the 3.2 version - installed samba 3.4.3 packages from sun freeware to replace those I compiled from from source. - Reindexed with "dsconf reindex -h ldapserver -t sambaSID o=mydomain.com" Unfortunately did not resolve the group membership problem (i.e. a user account only appears to be in its primary group ) Querying the Samba 3.4.x BDC # net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users # Querying the Samba 3.0.x PDC # net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users # As far as I can tell from the comments at the top of each ldif file, the only change was the addition of sambaTrustedDomainPassword objectClasses. On 11/25/09 03:41, Jan Wenzel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gaiseric Vandal schrieb: > >> I assume an index is not an actual LDAP attribute or object like >> sambaSID but is more like a database index for optimizing searches? >> > You're right :) But in some cases like substring search (samba searches > i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to > get results. I don't know where to configure the indexes exactly in SDS, > but I'm sure it is possible. > > > >> I use Sun's Directory Server (LDAP server) as the backend. I use Apache >> Directory Studio for managing objects and attributes with in ldap. I >> should be able to use Sun's web-based console for creating the indexes. >> >> Is there something I need to specify in smb.conf to tell Samba to use >> the index? >> > Samba does not know anything about the configuration details of the LDAP > server, > it only talks LDAP - so it should instantly show groups when the index > is present. > > >> I also noticed that if I try to compile samba with Active Directory >> support, configure fails with >> >> configure: error: Active Directory support requires ldap_initialize >> > I would prefer to use the prebuilt linux packages from ftp.sernet.de (if > you have a linux system). > > >> Since sun has ldap client support included in the OS I do not have >> openldap installed. I don't need Active Directory but it makes me >> suspect that there may be some other ldap compatibility issues when >> using Sun ldap client vs Openldap client. >> >> >> Thanks >> > HTH > Jan > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k > WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN > =4Old > -----END PGP SIGNATURE----- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 25 Nov 2009 22:50 I think I have found the problem: Samba 3.0.x looks for group mappings in the "ldap group suffix" param. On my systems this is "ldap group suffix = ou=smb_groups." Regular unix groups are just in ou=groups. Initially we had used NIS (then LDAP) for unix groups, and had used tdbsam for the samba account backend. Group mappings were also in tdb. When we moved to ldap backend, group mappings were imported into ou=smb_groups. Samba 3.4.x reads thru the entire ldap tree. Since I have both "cn=Domain Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group" both with the same gidNumber, group membership processing fails. Therefore I think the solution will be to consolidate entries. For example, Replace cn=smb_domadmins,ou=group" with "cn=Domain Administrators,ou=group" Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to "cn=Domain Administrators,ou=group" Repeat for all the other mapped groups Update smb.conf on the 3.0.x servers to use "ldap group suffix = ou=group." This is assuming of course that Solaris doesn't have problems with group names with spaces. -----Original Message----- From: Gaiseric Vandal [mailto:gaiseric.vandal(a)gmail.com] Sent: Wednesday, November 25, 2009 10:01 PM To: samba(a)lists.samba.org Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups I have done the following - Added index for sambaSID and other attributes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory Server) with the 3.2 version - installed samba 3.4.3 packages from sun freeware to replace those I compiled from from source. - Reindexed with "dsconf reindex -h ldapserver -t sambaSID o=mydomain.com" Unfortunately did not resolve the group membership problem (i.e. a user account only appears to be in its primary group ) Querying the Samba 3.4.x BDC # net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users # Querying the Samba 3.0.x PDC # net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users # As far as I can tell from the comments at the top of each ldif file, the only change was the addition of sambaTrustedDomainPassword objectClasses. On 11/25/09 03:41, Jan Wenzel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gaiseric Vandal schrieb: > >> I assume an index is not an actual LDAP attribute or object like >> sambaSID but is more like a database index for optimizing searches? >> > You're right :) But in some cases like substring search (samba searches > i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to > get results. I don't know where to configure the indexes exactly in SDS, > but I'm sure it is possible. > > > >> I use Sun's Directory Server (LDAP server) as the backend. I use Apache >> Directory Studio for managing objects and attributes with in ldap. I >> should be able to use Sun's web-based console for creating the indexes. >> >> Is there something I need to specify in smb.conf to tell Samba to use >> the index? >> > Samba does not know anything about the configuration details of the LDAP > server, > it only talks LDAP - so it should instantly show groups when the index > is present. > > >> I also noticed that if I try to compile samba with Active Directory >> support, configure fails with >> >> configure: error: Active Directory support requires ldap_initialize >> > I would prefer to use the prebuilt linux packages from ftp.sernet.de (if > you have a linux system). > > >> Since sun has ldap client support included in the OS I do not have >> openldap installed. I don't need Active Directory but it makes me >> suspect that there may be some other ldap compatibility issues when >> using Sun ldap client vs Openldap client. >> >> >> Thanks >> > HTH > Jan > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k > WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN > =4Old > -----END PGP SIGNATURE----- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 Prev: probleme samba login domain Next: [Samba] Need proper steps for correct use of net setlocalsid |