Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 12-30-2010, 06:21 PM   #1
LQ Newbie
Registered: Dec 2008
Location: Yukon, Canada
Distribution: Debian/Ubuntu
Posts: 20

Rep: Reputation: 1
ubuntu workstations connects to samba pdc but gets no group permissions


The current situation:
there is a samba PDC with ~50 XP workstations, all working fine for the last two years.

The goal:
Cycle older hardware back into production by installing ubuntu on them. These workstations must authenticate against the domain, and must automatically mount a public, a user, and a department share that contains folders with various group permissions.

The added challenge:
Since the office where this lan is located is closed for the next week or so, the ubuntu workstation I am testing with is connecting via a site-to-site VPN. This is soon to be mandated as a requirement anyway, so if not done now it will have to be done later anyway. I mention this since it *may* be something that could be interfering with the success of my mission, however, given what does work, I do not think this is my culprit.

What does work:
Thanks to winbind, I can log into the ubuntu workstation via gdm with my domain credentials, and thanks to pam_mount my shares do mount correctly. I take this to mean my pam conf files are correct, along with nsswitch.conf.
wbinfo -p, -a, -t, and -u work on the workstation. getent passwd returns DOM\users.list
wbinfo -p, -t, -Y, -S, -G, -n, -s, etc, all work on the PDC. getent passwd returns a list from /etc/passwd and getent group returns a list from /etc/group.
A remotely controlled windows workstation on the lan works as expected.

What doesn't work:
wbinfo -g does not work on the ubuntu workstation or the PDC, there is no error, but they return no information. On the workstation, the domain user once logged in is put into a primary group of DOM\none, and is assigned 3 gids, but I can use wbinfo -G, -Y, -n, etc to query information about these groups on both PDC and workstation.
ls -al of the Department folder shows the group ownership of the directories as DOM\none.
It appears that winbind is not able to parse the group permissions at all, not for the user, nor for the folders.

The hope:
is that someone can say that this problem of group permissions not being recognized has a typical cause (though several hours/days of google searching has revealed no such thing). However, I can provide a great deal of supporting information, as I have gone through documentation and testing extensively (though not extensively enough, apparently). For my own sanity, I put most things I tried into a text document so I could review it and look for errors in judgment, that doc ended up being some 1500 lines long, and doesn't include conf files. Rather than flooding this post, if someone is up for reviewing it, I can definitely make it and further supporting info available...
Old 12-31-2010, 10:48 PM   #2
LQ Newbie
Registered: Dec 2008
Location: Yukon, Canada
Distribution: Debian/Ubuntu
Posts: 20

Original Poster
Rep: Reputation: 1
How does this work?!?:

root@TEST1:~# groups DOM\\bob.miller
DOM\bob.miller : DOM\none groups: cannot find name for group ID 15004
15004 groups: cannot find name for group ID 15005
15005 groups: cannot find name for group ID 15006
root@TEST1:~# wbinfo -G 15004
root@TEST1:~# i=$(wbinfo -G 15004); wbinfo -s $i
DOM\accpac 4
root@TEST1:~# i=$(wbinfo -G 15005); wbinfo -s $i
DOM\public 4
root@TEST1:~# i=$(wbinfo -G 15006); wbinfo -s $i
DOM\it 4

Seems I can get the group name just fine.

How can it be that I can query the winbind server for about a group, get its gid, sid, and name, yet wbinfo -g cannot enumerate the groups?
Old 01-05-2011, 03:01 PM   #3
LQ Newbie
Registered: Dec 2008
Location: Yukon, Canada
Distribution: Debian/Ubuntu
Posts: 20

Original Poster
Rep: Reputation: 1
I was able to get through the wbinfo -g issue by rebuilding the entire idmap. I did this by renaming related tdb files, and running `net sam mapunixgroup` for all the groups/mappings I needed to "recreate". This now has it so that my group gids and memberships are reporting correctly (mostly).
I am using pam_mount to automatically mount the samba shares on log on. One share has a number of folders whose permissions are governed by file system group ownerships. On the server, they look like so:

d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance
d---rws--- 9 root it 4096 2011-01-04 23:10 IT

When I log into the ubuntu workstation, the share mounts fine, but I get permissions like this:

d---rws--- 14 DOM\bob.miller DOM\none 0 2010-12-29 13:22 Finance
d---rws--- 9 DOM\bob.miller DOM\none 0 2011-01-04 23:10 IT

so it would seem that pam_mount is pulling the correct permissions (d---rws---) but the wrong group ownership.

So far I have not discovered a google search string that enlightens me as to what needs to be done, any suggestions?
Old 01-08-2011, 04:32 PM   #4
LQ Newbie
Registered: Dec 2008
Location: Yukon, Canada
Distribution: Debian/Ubuntu
Posts: 20

Original Poster
Rep: Reputation: 1
The solution here is to use the noperm option when mounting the share.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
samba pdc blocks write permissions on windows? ferradura Linux - Server 0 10-02-2007 06:57 PM
Samba PDC and permissions havenoclu Linux - Networking 1 03-13-2007 07:44 PM
Samba PDC Permissions hosler *BSD 1 05-02-2006 04:24 AM
Samba domain member server (DMS) group permissions in network with a Samba PDC srosa Linux - Networking 0 05-01-2006 06:55 PM
Restricting which workstations a user may use with samba PDC peterab85 Linux - Networking 1 09-22-2003 12:33 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:24 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration