Hi All,
I have a problem following the migration of my PDC's backend
from tdbsam
to LDAP. We started out with a PDC called SMB1 which ran
with a tdbsam
backend. I used pdbedit to convert it to LDAP and built a
new server
onto which the LDIF file was loaded. Samba was then setup to
use the
LDAP server as a backend. So far so good, Samba runs against
LDAP and I
was able to add 60 new XP client machines to the network
without any
problems.
The problem starts however when trying to access Samba
domain member
servers that have been connected since the PDC upgrade.
I go through the process of adding the servers to the domain
by setting
the domain SID on the member server using setdomainsid and
using net rpc
join -U admin -S SMB5 to join the domain. The latter command
brings up
"joined domain BGS" and after restarting samba and
winbind, wbinfo -u
and wbinfo -g both return correct lists of users and
groups.
Getent passwd and getent group both return full lists of
users and
groups from the UNIX/LDAP side suggesting that nss and pam
and
successfully communicating with smb5.
The problems start when trying to access shares configured
on the member
server. If the ownership of the file is set to testuser who
is a member
of the pupils group, testuser can access it. If the owner is
set to
admin and the file is grouped to pupils, no-one in the
pupils group can
access it even with the group perms set to rwx.
I suspect that as owner/users can access shares but groups
can't that
group mapping is stuffed. My questions are therefore as
follows.
1) can I set up smb.conf on member servers to access LDAP
directly and
abandon winbind. I have two additional seperate networks/NT
Domains
accessing the net via an NTLM_AUTH authenticated squid
proxy so I
don't know how this will affect them.
2) The domain SID and machine SID on the PDC are the same.
Is this
correct? winbind on the PDC returns "error looking up
domain users". I'm
quite restricted in what I can try as I have 300 people
accessing their
shares on the PDC and don't want to make things any worse
than they are.
3) net groupmap on the member servers creates a mapping
between NT
Domain and UNIX users but the SIDs are local domain sids and
group
permissions seem to fail. Should the Sids in groupmap be
local or domain?
Basically, I'm getting confused. Everything worked fine on
TDBsam
backends and I need help and clarification.
Cheers,
jools
--
To unsubscribe from this list go to the following URL and
read the
instructions: https:
//lists.samba.org/mailman/listinfo/samba
|