LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   ubuntu workstations connects to samba pdc but gets no group permissions (http://www.linuxquestions.org/questions/linux-server-73/ubuntu-workstations-connects-to-samba-pdc-but-gets-no-group-permissions-853348/)

 bobloblian 12-30-2010 06:21 PM

ubuntu workstations connects to samba pdc but gets no group permissions

Greetings,

The current situation:
there is a samba PDC with ~50 XP workstations, all working fine for the last two years.

The goal:
Cycle older hardware back into production by installing ubuntu on them. These workstations must authenticate against the domain, and must automatically mount a public, a user, and a department share that contains folders with various group permissions.

Since the office where this lan is located is closed for the next week or so, the ubuntu workstation I am testing with is connecting via a site-to-site VPN. This is soon to be mandated as a requirement anyway, so if not done now it will have to be done later anyway. I mention this since it *may* be something that could be interfering with the success of my mission, however, given what does work, I do not think this is my culprit.

What does work:
Thanks to winbind, I can log into the ubuntu workstation via gdm with my domain credentials, and thanks to pam_mount my shares do mount correctly. I take this to mean my pam conf files are correct, along with nsswitch.conf.
wbinfo -p, -a, -t, and -u work on the workstation. getent passwd returns DOM\users.list
wbinfo -p, -t, -Y, -S, -G, -n, -s, etc, all work on the PDC. getent passwd returns a list from /etc/passwd and getent group returns a list from /etc/group.
A remotely controlled windows workstation on the lan works as expected.

What doesn't work:
wbinfo -g does not work on the ubuntu workstation or the PDC, there is no error, but they return no information. On the workstation, the domain user once logged in is put into a primary group of DOM\none, and is assigned 3 gids, but I can use wbinfo -G, -Y, -n, etc to query information about these groups on both PDC and workstation.
ls -al of the Department folder shows the group ownership of the directories as DOM\none.
It appears that winbind is not able to parse the group permissions at all, not for the user, nor for the folders.

The hope:
is that someone can say that this problem of group permissions not being recognized has a typical cause (though several hours/days of google searching has revealed no such thing). However, I can provide a great deal of supporting information, as I have gone through documentation and testing extensively (though not extensively enough, apparently). For my own sanity, I put most things I tried into a text document so I could review it and look for errors in judgment, that doc ended up being some 1500 lines long, and doesn't include conf files. Rather than flooding this post, if someone is up for reviewing it, I can definitely make it and further supporting info available...

 bobloblian 12-31-2010 10:48 PM

How does this work?!?:

root@TEST1:~# groups DOM\\bob.miller
DOM\bob.miller : DOM\none groups: cannot find name for group ID 15004
15004 groups: cannot find name for group ID 15005
15005 groups: cannot find name for group ID 15006
15006
root@TEST1:~# wbinfo -G 15004
S-1-5-21-2066334203-143606298-2185948517-1023
root@TEST1:~# i=$(wbinfo -G 15004); wbinfo -s$i
DOM\accpac 4
root@TEST1:~# i=$(wbinfo -G 15005); wbinfo -s$i
DOM\public 4
root@TEST1:~# i=$(wbinfo -G 15006); wbinfo -s$i
DOM\it 4

Seems I can get the group name just fine.

How can it be that I can query the winbind server for about a group, get its gid, sid, and name, yet wbinfo -g cannot enumerate the groups?

 bobloblian 01-05-2011 03:01 PM

I was able to get through the wbinfo -g issue by rebuilding the entire idmap. I did this by renaming related tdb files, and running net sam mapunixgroup for all the groups/mappings I needed to "recreate". This now has it so that my group gids and memberships are reporting correctly (mostly).
I am using pam_mount to automatically mount the samba shares on log on. One share has a number of folders whose permissions are governed by file system group ownerships. On the server, they look like so:

d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance
d---rws--- 9 root it 4096 2011-01-04 23:10 IT

When I log into the ubuntu workstation, the share mounts fine, but I get permissions like this:

d---rws--- 14 DOM\bob.miller DOM\none 0 2010-12-29 13:22 Finance
d---rws--- 9 DOM\bob.miller DOM\none 0 2011-01-04 23:10 IT

so it would seem that pam_mount is pulling the correct permissions (d---rws---) but the wrong group ownership.

So far I have not discovered a google search string that enlightens me as to what needs to be done, any suggestions?

 bobloblian 01-08-2011 04:32 PM

The solution here is to use the noperm option when mounting the share.

 All times are GMT -5. The time now is 02:32 AM.