Did you know LQ has a Linux Hardware Compatibility List?
 Home Forums HCL Reviews Tutorials Articles Register Search Today's Posts Mark Forums Read
 LinuxQuestions.org ubuntu workstations connects to samba pdc but gets no group permissions
 Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

 12-30-2010, 06:21 PM #1 bobloblian LQ Newbie   Registered: Dec 2008 Location: Yukon, Canada Distribution: Debian/Ubuntu Posts: 20 Rep: ubuntu workstations connects to samba pdc but gets no group permissions Greetings, The current situation: there is a samba PDC with ~50 XP workstations, all working fine for the last two years. The goal: Cycle older hardware back into production by installing ubuntu on them. These workstations must authenticate against the domain, and must automatically mount a public, a user, and a department share that contains folders with various group permissions. The added challenge: Since the office where this lan is located is closed for the next week or so, the ubuntu workstation I am testing with is connecting via a site-to-site VPN. This is soon to be mandated as a requirement anyway, so if not done now it will have to be done later anyway. I mention this since it *may* be something that could be interfering with the success of my mission, however, given what does work, I do not think this is my culprit. What does work: Thanks to winbind, I can log into the ubuntu workstation via gdm with my domain credentials, and thanks to pam_mount my shares do mount correctly. I take this to mean my pam conf files are correct, along with nsswitch.conf. wbinfo -p, -a, -t, and -u work on the workstation. getent passwd returns DOM\users.list wbinfo -p, -t, -Y, -S, -G, -n, -s, etc, all work on the PDC. getent passwd returns a list from /etc/passwd and getent group returns a list from /etc/group. A remotely controlled windows workstation on the lan works as expected. What doesn't work: wbinfo -g does not work on the ubuntu workstation or the PDC, there is no error, but they return no information. On the workstation, the domain user once logged in is put into a primary group of DOM\none, and is assigned 3 gids, but I can use wbinfo -G, -Y, -n, etc to query information about these groups on both PDC and workstation. ls -al of the Department folder shows the group ownership of the directories as DOM\none. It appears that winbind is not able to parse the group permissions at all, not for the user, nor for the folders. The hope: is that someone can say that this problem of group permissions not being recognized has a typical cause (though several hours/days of google searching has revealed no such thing). However, I can provide a great deal of supporting information, as I have gone through documentation and testing extensively (though not extensively enough, apparently). For my own sanity, I put most things I tried into a text document so I could review it and look for errors in judgment, that doc ended up being some 1500 lines long, and doesn't include conf files. Rather than flooding this post, if someone is up for reviewing it, I can definitely make it and further supporting info available...
 12-31-2010, 10:48 PM #2 bobloblian LQ Newbie   Registered: Dec 2008 Location: Yukon, Canada Distribution: Debian/Ubuntu Posts: 20 Original Poster Rep: How does this work?!?: root@TEST1:~# groups DOM\\bob.miller DOM\bob.miller : DOM\none groups: cannot find name for group ID 15004 15004 groups: cannot find name for group ID 15005 15005 groups: cannot find name for group ID 15006 15006 root@TEST1:~# wbinfo -G 15004 S-1-5-21-2066334203-143606298-2185948517-1023 root@TEST1:~# i=$(wbinfo -G 15004); wbinfo -s$i DOM\accpac 4 root@TEST1:~# i=$(wbinfo -G 15005); wbinfo -s$i DOM\public 4 root@TEST1:~# i=$(wbinfo -G 15006); wbinfo -s$i DOM\it 4 Seems I can get the group name just fine. How can it be that I can query the winbind server for about a group, get its gid, sid, and name, yet wbinfo -g cannot enumerate the groups?
 01-05-2011, 03:01 PM #3 bobloblian LQ Newbie   Registered: Dec 2008 Location: Yukon, Canada Distribution: Debian/Ubuntu Posts: 20 Original Poster Rep: I was able to get through the wbinfo -g issue by rebuilding the entire idmap. I did this by renaming related tdb files, and running net sam mapunixgroup for all the groups/mappings I needed to "recreate". This now has it so that my group gids and memberships are reporting correctly (mostly). I am using pam_mount to automatically mount the samba shares on log on. One share has a number of folders whose permissions are governed by file system group ownerships. On the server, they look like so: d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance d---rws--- 9 root it 4096 2011-01-04 23:10 IT When I log into the ubuntu workstation, the share mounts fine, but I get permissions like this: d---rws--- 14 DOM\bob.miller DOM\none 0 2010-12-29 13:22 Finance d---rws--- 9 DOM\bob.miller DOM\none 0 2011-01-04 23:10 IT so it would seem that pam_mount is pulling the correct permissions (d---rws---) but the wrong group ownership. So far I have not discovered a google search string that enlightens me as to what needs to be done, any suggestions?
 01-08-2011, 04:32 PM #4 bobloblian LQ Newbie   Registered: Dec 2008 Location: Yukon, Canada Distribution: Debian/Ubuntu Posts: 20 Original Poster Rep: The solution here is to use the noperm option when mounting the share.