ubuntu workstations connects to samba pdc but gets no group permissions
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ubuntu workstations connects to samba pdc but gets no group permissions
Greetings,
The current situation:
there is a samba PDC with ~50 XP workstations, all working fine for the last two years.
The goal:
Cycle older hardware back into production by installing ubuntu on them. These workstations must authenticate against the domain, and must automatically mount a public, a user, and a department share that contains folders with various group permissions.
The added challenge:
Since the office where this lan is located is closed for the next week or so, the ubuntu workstation I am testing with is connecting via a site-to-site VPN. This is soon to be mandated as a requirement anyway, so if not done now it will have to be done later anyway. I mention this since it *may* be something that could be interfering with the success of my mission, however, given what does work, I do not think this is my culprit.
What does work:
Thanks to winbind, I can log into the ubuntu workstation via gdm with my domain credentials, and thanks to pam_mount my shares do mount correctly. I take this to mean my pam conf files are correct, along with nsswitch.conf.
wbinfo -p, -a, -t, and -u work on the workstation. getent passwd returns DOM\users.list
wbinfo -p, -t, -Y, -S, -G, -n, -s, etc, all work on the PDC. getent passwd returns a list from /etc/passwd and getent group returns a list from /etc/group.
A remotely controlled windows workstation on the lan works as expected.
What doesn't work:
wbinfo -g does not work on the ubuntu workstation or the PDC, there is no error, but they return no information. On the workstation, the domain user once logged in is put into a primary group of DOM\none, and is assigned 3 gids, but I can use wbinfo -G, -Y, -n, etc to query information about these groups on both PDC and workstation.
ls -al of the Department folder shows the group ownership of the directories as DOM\none.
It appears that winbind is not able to parse the group permissions at all, not for the user, nor for the folders.
The hope:
is that someone can say that this problem of group permissions not being recognized has a typical cause (though several hours/days of google searching has revealed no such thing). However, I can provide a great deal of supporting information, as I have gone through documentation and testing extensively (though not extensively enough, apparently). For my own sanity, I put most things I tried into a text document so I could review it and look for errors in judgment, that doc ended up being some 1500 lines long, and doesn't include conf files. Rather than flooding this post, if someone is up for reviewing it, I can definitely make it and further supporting info available...
root@TEST1:~# groups DOM\\bob.miller
DOM\bob.miller : DOM\none groups: cannot find name for group ID 15004
15004 groups: cannot find name for group ID 15005
15005 groups: cannot find name for group ID 15006
15006
root@TEST1:~# wbinfo -G 15004
S-1-5-21-2066334203-143606298-2185948517-1023
root@TEST1:~# i=$(wbinfo -G 15004); wbinfo -s $i
DOM\accpac 4
root@TEST1:~# i=$(wbinfo -G 15005); wbinfo -s $i
DOM\public 4
root@TEST1:~# i=$(wbinfo -G 15006); wbinfo -s $i
DOM\it 4
Seems I can get the group name just fine.
How can it be that I can query the winbind server for about a group, get its gid, sid, and name, yet wbinfo -g cannot enumerate the groups?
I was able to get through the wbinfo -g issue by rebuilding the entire idmap. I did this by renaming related tdb files, and running `net sam mapunixgroup` for all the groups/mappings I needed to "recreate". This now has it so that my group gids and memberships are reporting correctly (mostly).
I am using pam_mount to automatically mount the samba shares on log on. One share has a number of folders whose permissions are governed by file system group ownerships. On the server, they look like so:
d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance
d---rws--- 9 root it 4096 2011-01-04 23:10 IT
When I log into the ubuntu workstation, the share mounts fine, but I get permissions like this:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
