Problem mit Samba+LDAP als PDC - Lug-dd

16 Sep 2010


      Moin Liste,
ich habe hier mit einem sehr unschönen Samba-Problem zu kämpfen. Versucht ein 
Nutzer auf ein Samba-Share zuzugreifen, dann wird die Gruppenberechtigung 
nicht ausgewertet. Die Nutzer können nur auf Freigaben zugreifen, welche der 
Primären Gruppe (sambaPrimaryGroupSID) gehören. Alle anderen Gruppen werden 
ignoriert.
Die Benutzer stecken in eine LDAP-Datenbank. Am Besten ist wohl ein Beispiel:
Benutzer "weisse" will auf "lftcommon" zugreifen, wird aber vom Samba schnöde 
abgewiesen.
Hier der LDAP-Eintrag für den Benutzer:
$> ldapsearch -x -D "cn=administrator,dc=domain,dc=de" -W -b
         "uid=weisse,ou=people,dc=domain,dc=de"
      ...
      dn: uid=weisse,ou=people,dc=domain,dc=de
      ...
      sambaSID: S-1-5-21-3472328929-1490573074-2800308803-3002
      ....
      gidNumber: 20500
      ...
      sambaPrimaryGroupSID: S-1-5-21-3472328929-1490573074-2800308803-20500
Unter Linux steckt "weiss" in der richtigen Gruppe "lft" um auf das 
Verzeichnis zuzugreifen:
    $> id
       uid=21113(weisse) gid=20500(lftuser) Gruppen=... 20000(lft) ...
    $> ll -d common
       drwxrwx--- 16 root lft 4096  9. Aug 14:28 common
Für Windows existiert noch so ein Groupmapping. Wobei ich mir nicht sicher 
bin, ob man das groupmapping überhaupt benötigt.
    $> net groupmap list
    ...
    lft (S-1-5-21-3472328929-1490573074-2800308803-1006) -> lft
    ...
   (Die SID "1006" spielt irgendwie auch keine Rolle. Ob dort die Unix-GID
    steht oder $foo ist egal. Zumindest funktioniert in keinem Fall.)
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
# /etc/samba/smb.conf
[global]
....
   # LDAP als Benutzerdatenbank festlegen        
   encrypt passwords = yes
   passdb backend    = ldapsam:ldap://mlrfs1.domain.de
ldap admin dn       = cn=administrator,dc=domain,dc=de
   ldap suffix         = dc=domain,dc=de
   ldap idmap suffix   = ou=Idmap
   ldap machine suffix = ou=Computers
   ldap group suffix   = ou=group
   ldap user suffix    = ou=people
ldapsam:trusted     = yes
   ldapsam:editposix   = yes
# ldap ssl            = start_tls
   # ldap tls            = start_tls
   ldap ssl            = no
   ldap passwd sync    = Yes
...
   log level = 1   passdb:2 auth:2 winbind:2
... 
[lftcommon]
        comment = Alle LFT Nutzer
        path = /home/lft/common
        read only = No
        inherit permissions = No
        veto files = /aquota.user/groups/shares/
        browseable = yes
        guest ok = no
        printable = no
        create mask = 740
        directory mask = 750
        valid users = @lft
        force group = +lft
        force create mode = 0660
        force directory mode = 0660
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Anbei mal ein Auszug aus der /var/log/log.smb. Es ist eine frische Anmeldung 
an der Domäne als "weisse" und dann Zugriff auf die Freigabe "lftcommon"
Samba findet im LDAP die Gruppee 20000. Kurz vor dem "NT_STATUS_ACCESS_DENIED" 
spielt Samba noch mit einer Gruppe 1000. Diese Gruppe gibt es wirklich, aber 
hat mit dem Share nichts zu tun.
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
....
[2010/09/16 11:11:15.686408,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:15.763748,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [weisse] -> [weisse] -> 
[weisse] succeeded
[2010/09/16 11:11:16.597111,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:16.599831,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [weisse] -> [weisse] -> 
[weisse] succeeded
[2010/09/16 11:11:16.642294,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service profiles initially as user 
weisse (uid=21113, gid=20500) (pid 8611)
[2010/09/16 11:11:16.644955,  1] smbd/dosmode.c:255(get_ea_dos_attribute)
  get_ea_dos_attributes: Cannot get attribute from EA on file .msprofile: 
Error = Die Operation wird nicht unterstützt
[2010/09/16 11:11:16.646398,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:31.293138,  1] smbd/service.c:1251(close_cnum)
  mlr134v (141.30.156.134) closed connection to service profiles
[2010/09/16 11:11:32.330728,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:32.334515,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [weisse] -> [weisse] -> 
[weisse] succeeded
[2010/09/16 11:11:32.340314,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: haehnel
[2010/09/16 11:11:32.385181,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: root
[2010/09/16 11:11:32.386166,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service netlogon initially as user 
weisse (uid=21113, gid=20500) (pid 8616)
[2010/09/16 11:11:33.194144,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:33.197010,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:33.198957,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service weisse initially as user weisse 
(uid=21113, gid=20500) (pid 8616)
[2010/09/16 11:11:41.813782,  1] smbd/service.c:1251(close_cnum)
  mlr134v (141.30.156.134) closed connection to service netlogon
[2010/09/16 11:11:41.815067,  1] smbd/service.c:1251(close_cnum)
  mlr134v (141.30.156.134) closed connection to service weisse
[2010/09/16 11:11:56.278246,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.281555,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [weisse] -> [weisse] -> 
[weisse] succeeded
[2010/09/16 11:11:56.286103,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
 init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.288915,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: weisse
[2010/09/16 11:11:56.290839,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service weisse initially as user weisse 
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:11:56.672438,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: haehnel
[2010/09/16 11:11:56.675118,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: root
[2010/09/16 11:11:56.677183,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service netlogon initially as user 
weisse (uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:00.759827,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.760879,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.761015,  0] param/loadparm.c:9912(widelinks_warning)
  Share 'lft' has wide links and unix extensions enabled. These parameters are 
incompatible. Wide links will be disabled for this share.
[2010/09/16 11:12:00.762599,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.762975,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service lft initially as user weisse 
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:00.823477,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.824278,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20000
[2010/09/16 11:12:00.824416,  0] param/loadparm.c:9912(widelinks_warning)
  Share 'lftcommon' has wide links and unix extensions enabled. These 
parameters are incompatible. Wide links will be disabled for this share.
[2010/09/16 11:12:00.825761,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:00.826182,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service lftcommon initially as user 
weisse (uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:01.364989,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.366606,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:01.367811,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.369595,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 21003
[2010/09/16 11:12:01.370874,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 20500
[2010/09/16 11:12:01.371561,  1] smbd/service.c:1070(make_connection_snum)
  mlr134v (141.30.156.134) connect to service lftstud initially as user weisse 
(uid=21113, gid=20500) (pid 8644)
[2010/09/16 11:12:01.460171,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 1000
[2010/09/16 11:12:01.460405,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
<--------------- ><8 -------- ><8 -------- ><8 -------- ><8 -------->
Zum System: 
   openSuse 11.3
   Samba (Version 3.5.4)
   OpenLDAP (Version 2.4.21)
Hat jemand einen PDC (Samba+LDAP) mit Suse 11.3 am Laufen und kann mir 
weiterhelfen? Früher mit einer 9.x-Version lief das schon mal wichtig gut. 
Seid der Umstellung auf 11.3 hängt es an allen Ecken und Enden.
Jens