[Samba] nested groups with user mapping doesn't work

Hi,

i've a samba server (3.0.23d) as a domain member (not a PDC/BDC). My problem is that if I'm using
user mapping with the option 'username map = user.map' the samba server doesn't see that I'm a
member of several domain groups and the nested groups doesn't work. If I deactivate the user mapping
then nested groups works fine but I've a different UID on the unix FS (from the idmap uid range) and
I can't access my files.

The unix user:
bash-3.00# getent passwd raiweber
raiweber:x:120:14:Rainer Weber:/home/raiweber:/usr/bin/bash

The windows user:
bash-3.00# getent passwd WINDOWS+raiweber
raiweber:*:10005:10002:Rainer Weber:/home/raiweber:/bin/bash

The user.map entry looks like:
raiweber = "WINDOWS+raiweber"

The PDC is a Windows Server 2003 and we have both unix and windows user with the same name.


How can I map windows users to a specific UID (e.g. WINDOWS+raiweber to UID 120) and use nested groups?

Thanks.

Rainer

--
+--------------------------------------+
| Max Planck Institute for Mathematics |
| System Administration |
| |
| Vivatsgasse 7, 53111 Bonn, Germany |
| Tel +49 (0)228-402-239 |
| Fax +49 (0)228-402-277 |
| Email raiweber.DeleteThis@mpim-bonn.mpg.de |
+--------------------------------------+
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi,

if I deactivate the user mapping over 'username map' samba can see that the windows user raiweber is
member of several windows groups.

[2007/02/02 14:07:32, 10] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-781721396-396832292-1671184278-1107
contains 11 SIDs
SID[ 0]: S-1-5-21-781721396-396832292-1671184278-1107
SID[ 1]: S-1-5-21-781721396-396832292-1671184278-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-781721396-396832292-1671184278-1118
SID[ 6]: S-1-5-21-781721396-396832292-1671184278-1108
SID[ 7]: S-1-5-21-781721396-396832292-1671184278-1117
SID[ 8]: S-1-5-21-781721396-396832292-1671184278-1115
SID[ 9]: S-1-5-21-702622059-3335440352-4138491235-2001
SID[ 10]: S-1-5-32-545
SE_PRIV 0x0 0x0 0x0 0x0

If I activate user mapping again I can only see the following in the log.
[2007/02/02 15:21:17, 10] libads/authdata.c:dump_pac_logon_info(723)
The PAC:
User Flags: 0x20 (32)
User Flags: LOGON_EXTRA_SIDS 0x20 (32)
User SID: S-1-5-21-781721396-396832292-1671184278-1107
Group SID: S-1-5-21-781721396-396832292-1671184278-513
Group Membership (Global and Universal Groups of own domain):
0: sid: S-1-5-21-781721396-396832292-1671184278-513
attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
1: sid: S-1-5-21-781721396-396832292-1671184278-1118
attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
2: sid: S-1-5-21-781721396-396832292-1671184278-1108
attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
3: sid: S-1-5-21-781721396-396832292-1671184278-1117
attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
4: sid: S-1-5-21-781721396-396832292-1671184278-1115
attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT SE_GROUP_ENABLED
Group Membership (Domain Local Groups and Groups from Trusted Domains):
Group Membership (Ressource Groups (SID History ?)):

and

[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups


And I nested groups doesn't work.
Can some one please tell me where the problem is?

My smb.conf
[global]
workgroup = WINDOWS
realm = WINDOWS.LOCAL
security = ADS
map to guest = Bad User
password server = 192.168.254.156
root directory = /
username map = /usr/local/samba/private/user.map
lanman auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 10
min protocol = NT1
client signing = required
server signing = required
load printers = No
domain master = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hosts allow = 192.168.254.156, 192.168.254.121, 192.168.254.236

[local_home]
path = /local_home
read only = No


Thanks.

Rainer

Rainer Weber wrote:
> Hi,
>
> i've a samba server (3.0.23d) as a domain member (not a PDC/BDC). My
> problem is that if I'm using user mapping with the option 'username map
> = user.map' the samba server doesn't see that I'm a member of several
> domain groups and the nested groups doesn't work. If I deactivate the
> user mapping then nested groups works fine but I've a different UID on
> the unix FS (from the idmap uid range) and I can't access my files.
>
> The unix user:
> bash-3.00# getent passwd raiweber
> raiweber:x:120:14:Rainer Weber:/home/raiweber:/usr/bin/bash
>
> The windows user:
> bash-3.00# getent passwd WINDOWS+raiweber
> raiweber:*:10005:10002:Rainer Weber:/home/raiweber:/bin/bash
>
> The user.map entry looks like:
> raiweber = "WINDOWS+raiweber"
>
> The PDC is a Windows Server 2003 and we have both unix and windows user
> with the same name.
>
>
> How can I map windows users to a specific UID (e.g. WINDOWS+raiweber to
> UID 120) and use nested groups?
>
> Thanks.
>
> Rainer
>

--
+--------------------------------------+
| Max Planck Institute for Mathematics |
| System Administration |
| |
| Vivatsgasse 7, 53111 Bonn, Germany |
| Tel +49 (0)228-402-239 |
| Fax +49 (0)228-402-277 |
| Email raiweber RemoveThis @mpim-bonn.mpg.de |
+--------------------------------------+
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba