[Samba] Idmap creates unnecessary group entry - Samba

This is a discussion on [Samba] Idmap creates unnecessary group entry - Samba ; Hy Samba users, I've got a problem with an samba/ldap setup. As I set an ACL to a domain group in an windows client, a group mapping entry will be created in the Idmap ou at the ldap server. I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Idmap creates unnecessary group entry

  1. [Samba] Idmap creates unnecessary group entry

    Hy Samba users,

    I've got a problem with an samba/ldap setup. As I set an ACL to a domain
    group in an windows client, a group mapping entry will be created in the
    Idmap ou at the ldap server.

    I discoverd the OpenLDAP logfiles. There, the server sends a search
    request for the domain group sid to the ldap backend will retreive an
    entry back:

    Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH
    base="ou=Groups,dc=lw-systems,dc=net" scope=2 deref=0
    filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-4205727931-4131263253-1851132061-3019))"

    Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH attr=gidNumber
    sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
    Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SEARCH RESULT tag=101
    err=0 nentries=1 text=

    The samba log files shows, that no entry was found.


    [2008/01/15 20:19:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3

    [2008/01/15 20:19:25, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1570)
    ldapsam_getsampwsid: Unable to locate SID
    [S-1-5-21-4205727931-4131263253-1851132061-3019] count=0

    [2008/01/15 20:19:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2200)
    init_group_from_ldap: Entry found for group: 1009

    [2008/01/15 20:19:25, 3] smbd/sec_ctx.cop_sec_ctx(386)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2


    I guess, the Idmap entry will be created, since the samba server supposes,
    no group SID will be available at the backend.

    Do anyone has any ideas about this behavior?

    Maybe its my misunderstanding of the idmapping in samba...



    Best regards,
    Martin Werthmoeller

    --
    LWsystems - IT-Service and Consulting
    mw@lw-systems.de * http://www.lw-systems.de
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Idmap creates unnecessary group entry

    Am Tue, 15 Jan 2008 um 21:00 GMT +0100 schrieb Martin Werthmöller:

    I've checked some different system configurations.

    As I switched the paramter

    winbind use default domain

    to yes, an idmap entry will created, too. But now the gidNumber and
    sambaSID values match the values of the alredy defined group. This is the
    correct behavior for unix and windows users.

    The man page entry for this parameter is a little bit misleading, IMHO.


    But I don't understand the reason for creating this entry. The group was
    alredy defined at the passdb backend (LDAP) with correct sambaSID and
    gidNumber. Can anbody explain this behavior?



    Best regards,
    Martin Werthmoeller

    --
    LWsystems - IT-Service and Consulting
    mw@lw-systems.de * http://www.lw-systems.de
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread