-   Linux - Server (
-   -   Samba + LDAP server issues with group memberships (

havok1977 05-05-2009 11:06 PM

Samba + LDAP server issues with group memberships
Hello everyone,

After a bit of effort I managed to get CentOS 5.3 server up and running to act as a PDC on a LAN. All the users can log in properly and the XP machines have been successfully added to the directory. Roaming profiles work fine and of course shares are up and available.

The only two remaining issues are: root has been aliased with Administrator on the Domain and while this account is able to perform all tasks on the server side, it doesn't have all privileges on the XP clients.

To address this I'm trying to add the user to the "Domain Admins" group on the server, but ran into this:


[root@gonzales ~]# net rpc group
Domain Admins
Domain Users
Domain Guests
Domain Computers
[root@gonzales ~]# net rpc group ADDMEM Domain\ Admins root
Could not add root to Domain Admins: NT_STATUS_NO_SUCH_GROUP

What gives? I don't understand why i first get confirmation that the group does exist and then when adding the user to it, samba complains the group doesn't exist.

Relevant lines of config:


# Specifying ldapsam backend database
        passdb backend = ldapsam:ldap://
        username map = /etc/samba/smbusers
# OpenLDAP stuff is defined here
        ldap suffix = dc=XXXXX,dc=com,dc=au
        ldap machine suffix = ou=machines
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=People
        ldap admin dn = cn=root,dc=XXXXX,dc=com,dc=au
        ldap ssl = no
        ldap passwd sync = Yes
        idmap uid = 10000-20000
        idmap gid = 500-20000
#      ldap ssl = start_tls

Any help will be greatly appreciated.

havok1977 05-06-2009 12:35 AM

Doh! I forgot about the smbldap scripts for managing the database! Using them i finally can make the appropriate queries and changes; but here's the thing: root already belonged to the "Domain Admins" group and yet on the XP clients it still doesn't have all the privileges.

Check it out:


[root@gonzales smbldap-tools]# smbldap-groupshow "Domain Admins"
dn: cn=Domain Admins,ou=Groups,dc=XXXXX,dc=com,dc=au
objectClass: top,posixGroup,sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-1659004503-1604221776-682003330-512
sambaGroupType: 2
displayName: Domain Admins
[root@gonzales smbldap-tools]# smbldap-groupmod -m root "Domain Admins"
User root already in the group

Am I missing anything else that has to be done/checked?

chitambira 05-06-2009 06:59 AM

group policy settings.

All times are GMT -5. The time now is 06:33 AM.