wbinfo -u and -g work, wbinfo -s works only for some users
in [Samba]
|
Prev: [Samba] removing user files (was: Re: Odd random roaming profile issues)
Next: %a variable and Windows 7
From: Jason Gerfen on 27 Jul 2010 03:10 Here is a document and perl script I developed to resolve UID to SID mappings in Samba Active Directory authentication. http://zerointeger.tumblr.com/post/589762841/samba-and-active-directory Let me know if that helps any. On 07/26/10 07:01, Danilo Godec wrote: > Got a problem after upgrading Samba from 3.0 to 3.5 - have a bunch of > users and groups in LDAP and things work for the most part. > > However, when people try to change permissions from within Windows, some > usernames or groupnames are shown properly, but other are not - they see > the SID. > > Following up I noticed, that I can get a list of all users with 'wbinfo > -u' and that I can get a SID for every user with 'wbinfo -n $USER'. > > However, for about 70% of all SIDs listed a 'reverse lookup' with 'wbinf > -s $SID' doesn't work: > > >> S-1-5-21-239950015-4237961228-1280988766-3060 Could not lookup sid >> S-1-5-21-239950015-4237961228-1280988766-3060 >> > It works for some and it turns out that this relates to what usernames > are visible in Windows... > > I checked my LDAP and compared some of the users that work to some of > those that don't, but there are no apparent differences. > > Any ideas? > > Regards, Danilo > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Danilo Godec on 27 Jul 2010 04:30 While my situation is a bit different (no AD server, Samba is PDC for the domain, using OpenLDAP for users, groups, ...), I tried running your Perl script in 'Wizard' mode, but it fails (using perl 5.8.3): # ./UID2SID.pl syntax error at ./UID2SID.pl line 204, near "= ;" syntax error at ./UID2SID.pl line 239, near "= ;" syntax error at ./UID2SID.pl line 380, near "= ;" syntax error at ./UID2SID.pl line 404, near "= ) " syntax error at ./UID2SID.pl line 410, near "}" Execution of ./UID2SID.pl aborted due to compilation errors. Regards, Danilo On 26. 07. 2010 15:54, Jason Gerfen wrote: > Here is a document and perl script I developed to resolve UID to SID > mappings in Samba Active Directory authentication. > > http://zerointeger.tumblr.com/post/589762841/samba-and-active-directory > > Let me know if that helps any. > > On 07/26/10 07:01, Danilo Godec wrote: >> Got a problem after upgrading Samba from 3.0 to 3.5 - have a bunch of >> users and groups in LDAP and things work for the most part. >> >> However, when people try to change permissions from within Windows, some >> usernames or groupnames are shown properly, but other are not - they see >> the SID. >> >> Following up I noticed, that I can get a list of all users with 'wbinfo >> -u' and that I can get a SID for every user with 'wbinfo -n $USER'. >> >> However, for about 70% of all SIDs listed a 'reverse lookup' with 'wbinf >> -s $SID' doesn't work: >> >> >>> S-1-5-21-239950015-4237961228-1280988766-3060 Could not lookup sid >>> S-1-5-21-239950015-4237961228-1280988766-3060 >>> >> It works for some and it turns out that this relates to what usernames >> are visible in Windows... >> >> I checked my LDAP and compared some of the users that work to some of >> those that don't, but there are no apparent differences. >> >> Any ideas? >> >> Regards, Danilo >> >> >> >> > -- Danilo Godec, sistemska podpora / system administration Predlog! Obiscite prenovljeno spletno stran www.agenda.si ODPRTA KODA IN LINUX STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA Visit our updated web page at www.agenda.si OPEN SOURCE AND LINUX SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE
From: Jason Gerfen on 28 Jul 2010 09:30 My apologies... Here is a working copy as an attachment. I will also fix the blog post I have up about it. Keep in mind it does require a couple of tools installed to function properly. i.e. wbinfo ldapsearch ldapmodify Also a note on how it works. It uses wbinfo to detect any account in active directory which does not have the unix extension properties for the uid,gid,default shell, homedir, as well as any DN attribute which uses first name last name, (DN=first last,CN=Users) which seems to cause problems with the UID 2 SID verification process, and modifies only those accounts. Using 'wizard' mode will allow you to test it on one account and once that works you can specify a OU within Active Directory and this will perform the operations on any account which fails the UID 2 SID verification. Let me know if you experience any problems with it. On 07/27/10 02:29, Danilo Godec wrote: > While my situation is a bit different (no AD server, Samba is PDC for > the domain, using OpenLDAP for users, groups, ...), I tried running your > Perl script in 'Wizard' mode, but it fails (using perl 5.8.3): > > # ./UID2SID.pl > syntax error at ./UID2SID.pl line 204, near "= ;" > syntax error at ./UID2SID.pl line 239, near "= ;" > syntax error at ./UID2SID.pl line 380, near "= ;" > syntax error at ./UID2SID.pl line 404, near "= ) " > syntax error at ./UID2SID.pl line 410, near "}" > Execution of ./UID2SID.pl aborted due to compilation errors. > > Regards, Danilo > > > > > On 26. 07. 2010 15:54, Jason Gerfen wrote: > >> Here is a document and perl script I developed to resolve UID to SID >> mappings in Samba Active Directory authentication. >> >> http://zerointeger.tumblr.com/post/589762841/samba-and-active-directory >> >> Let me know if that helps any. >> >> On 07/26/10 07:01, Danilo Godec wrote: >> >>> Got a problem after upgrading Samba from 3.0 to 3.5 - have a bunch of >>> users and groups in LDAP and things work for the most part. >>> >>> However, when people try to change permissions from within Windows, some >>> usernames or groupnames are shown properly, but other are not - they see >>> the SID. >>> >>> Following up I noticed, that I can get a list of all users with 'wbinfo >>> -u' and that I can get a SID for every user with 'wbinfo -n $USER'. >>> >>> However, for about 70% of all SIDs listed a 'reverse lookup' with 'wbinf >>> -s $SID' doesn't work: >>> >>> >>> >>>> S-1-5-21-239950015-4237961228-1280988766-3060 Could not lookup sid >>>> S-1-5-21-239950015-4237961228-1280988766-3060 >>>> >>>> >>> It works for some and it turns out that this relates to what usernames >>> are visible in Windows... >>> >>> I checked my LDAP and compared some of the users that work to some of >>> those that don't, but there are no apparent differences. >>> >>> Any ideas? >>> >>> Regards, Danilo >>> >>> >>> >>> >>> >> > >
From: Danilo Godec on 2 Aug 2010 07:20
Well, I still had problem running your script - didn't quite know how to specify the server and other parameters... But it was a starting point - it lead me to install latest 'smbldap-tools' and using those I added a 'test' user. Then I compared LDAP entires of newly created user to old users and noticed, that old users are missing a couple of 'objectClass' statements: > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: sambaSamAccount > objectClass: shadowAccount vs. > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount I added missing objectClass-es to all users and as it seems everything works well now. Thanks, Danilo PS: I guess I'll have to update the LDAP Account Manager too... On 27. 07. 2010 15:16, Jason Gerfen wrote: > My apologies... > > Here is a working copy as an attachment. I will also fix the blog post > I have up about it. > > Keep in mind it does require a couple of tools installed to function > properly. > i.e. > wbinfo > ldapsearch > ldapmodify > > Also a note on how it works. It uses wbinfo to detect any account in > active directory which does not have the unix extension properties for > the uid,gid,default shell, homedir, as well as any DN attribute which > uses first name last name, (DN=first last,CN=Users) which seems to > cause problems with the UID 2 SID verification process, and modifies > only those accounts. > > Using 'wizard' mode will allow you to test it on one account and once > that works you can specify a OU within Active Directory and this will > perform the operations on any account which fails the UID 2 SID > verification. > > Let me know if you experience any problems with it. > > On 07/27/10 02:29, Danilo Godec wrote: >> While my situation is a bit different (no AD server, Samba is PDC for >> the domain, using OpenLDAP for users, groups, ...), I tried running your >> Perl script in 'Wizard' mode, but it fails (using perl 5.8.3): >> >> # ./UID2SID.pl >> syntax error at ./UID2SID.pl line 204, near "= ;" >> syntax error at ./UID2SID.pl line 239, near "= ;" >> syntax error at ./UID2SID.pl line 380, near "= ;" >> syntax error at ./UID2SID.pl line 404, near "= ) " >> syntax error at ./UID2SID.pl line 410, near "}" >> Execution of ./UID2SID.pl aborted due to compilation errors. >> >> Regards, Danilo >> >> >> >> >> On 26. 07. 2010 15:54, Jason Gerfen wrote: >> >>> Here is a document and perl script I developed to resolve UID to SID >>> mappings in Samba Active Directory authentication. >>> >>> http://zerointeger.tumblr.com/post/589762841/samba-and-active-directory >>> >>> Let me know if that helps any. >>> >>> On 07/26/10 07:01, Danilo Godec wrote: >>> >>>> Got a problem after upgrading Samba from 3.0 to 3.5 - have a bunch of >>>> users and groups in LDAP and things work for the most part. >>>> >>>> However, when people try to change permissions from within Windows, >>>> some >>>> usernames or groupnames are shown properly, but other are not - >>>> they see >>>> the SID. >>>> >>>> Following up I noticed, that I can get a list of all users with >>>> 'wbinfo >>>> -u' and that I can get a SID for every user with 'wbinfo -n $USER'. >>>> >>>> However, for about 70% of all SIDs listed a 'reverse lookup' with >>>> 'wbinf >>>> -s $SID' doesn't work: >>>> >>>> >>>> >>>>> S-1-5-21-239950015-4237961228-1280988766-3060 Could not lookup sid >>>>> S-1-5-21-239950015-4237961228-1280988766-3060 >>>>> >>>>> >>>> It works for some and it turns out that this relates to what usernames >>>> are visible in Windows... >>>> >>>> I checked my LDAP and compared some of the users that work to some of >>>> those that don't, but there are no apparent differences. >>>> >>>> Any ideas? >>>> >>>> Regards, Danilo >>>> >>>> >>>> >>>> >>>> >>> >> >> > -- Danilo Godec, sistemska podpora / system administration Predlog! Obiscite prenovljeno spletno stran www.agenda.si ODPRTA KODA IN LINUX STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA Visit our updated web page at www.agenda.si OPEN SOURCE AND LINUX SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE |