[Samba] Samba 3.0.1pre3/ldap - Strange gid mappings server..

Good day,

I'm running some tests with Samba 3.0.1pre3 with an LDAP sam. LDAP has been,
to the best of my abilities, properly populated with the needed group
mappings. The "net groupmap list" command indeed shows the following:

[root@box bin]# ./net groupmap list
Domain Admins (S-1-5-21-2009448231-1530593524-1969381020-512) -> domadm
Domain Users (S-1-5-21-2009448231-1530593524-1969381020-513) -> domusr
Domain Guests (S-1-5-21-2009448231-1530593524-1969381020-514) -> domgst
Administrators (S-1-5-21-2009448231-1530593524-1969381020-544) -> admins
users (S-1-5-21-2009448231-1530593524-1969381020-545) -> users
Guests (S-1-5-21-2009448231-1530593524-1969381020-546) -> guests
Power Users (S-1-5-21-2009448231-1530593524-1969381020-547) -> pwrusr
Account Operators (S-1-5-21-2009448231-1530593524-1969381020-548) -> acntop
Server Operators (S-1-5-21-2009448231-1530593524-1969381020-549) -> srvop
Print Operators (S-1-5-21-2009448231-1530593524-1969381020-550) -> prtop
Backup Operators (S-1-5-21-2009448231-1530593524-1969381020-551) -> bkpop
Replicator (S-1-5-21-2009448231-1530593524-1969381020-552) -> replic
Domain Computers (S-1-5-21-2009448231-1530593524-1969381020-553) -> domwks
Data (S-1-5-21-2009448231-1530593524-1969381020-9000) -> data
Chem (S-1-5-21-2009448231-1530593524-1969381020-9001) -> chem

- Unix local groups are created (ie domadm,domusr,etc...):

chem::7000:
data::2000:
ntadmin::2800:
admins::544:
users::545:
guests::546:
pwrusr::547:
acntop::548:
srvop::549:
prtop::550:
bkpop::551:
replic::552:
domwks::553:
domadm::512:
domusr::513:
domgst::514:

- And LDAP shows the proper info (as far as my knowledge goes). Here's a
samply entry, as I know this message is already long enough:

dn: cn=Domain Admins,ou=Groups,dc=ecopiabio,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2009448231-1530593524-1969381020-512
sambaGroupType: 2
displayName: Domain Admins
memberUid: root

Now for the weird behavior: granting access to "Domain Admins" through Windows
XPs "security" tab (I have acl support compiled in) to a file yields out the
following facl on the unix side:

user::rwx
group::rw- #effective:rw-
group:2147483404:r-x #effective:r-x
mask:rwx
other:r--

GID for "Domain Admins" is fishy. Things look OK on the Windows side of things
though (in the security tab, Domain Admins is right there with proper
permissions).

Samba logs show the following few error messages:

asdasd (192.168.1.52) connect to service data initially as user mat
(uid=2006, gid=2000) (pid 718)
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_domain_user_groups(371)
get_domain_user_groups: primary gid of user [mat] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2003/12/05 08:27:09, 0] rpc_server/srv_util.c:get_alias_user_groups(219)
get_alias_user_groups: gid of user mat doesn't exist. Check your /etc/passwd
and /etc/group files
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)
[2003/12/05 08:27:36, 0] lib/smbldap.c:smbldap_open(800)
smbldap_open: cannot access LDAP when not root..
[2003/12/05 08:27:36, 1] lib/smbldap.c:smbldap_retry_open(889)
Connection to LDAP Server failed for the 1 try!
[2003/12/05 08:27:36, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)

Now before this is questionned, gid 2000 (group data) does indeed exist both
on LDAP and in /etc/group, and is the user's primary GID in ldap and
/etc/passwd. This one is also leaving me without a clue.

Anyone has an idea on the source of these problems?

Thanks in advance,

--
===================================================================
Mathieu Nantel - RHCE,CCNA Ecopia BioSciences
Systems Manager (514) 336-2724 x434
nantel.TakeThisOut@ecopiabio.com
===================================================================
[*] Please avoid sending me Word/Excel/PowerPoint attachments.
`----> See: http://www.fsf.org/philosophy/no-word-attachments.html
===================================================================

--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba