Results 1 to 3 of 3

Thread: zimbra and samba/posix securityID

  1. #1
    Join Date
    Sep 2006
    Rep Power

    Default zimbra and samba/posix securityID


    I'm using zimbra-4.5.7GA trial version on a fedora core 7 with samba samba-3.0.26a-0.fc7.

    When I try to add a workstation to the domain I get this error,
    "This security ID may not be assigned as the primary group of an object"

    Anyone know how to get around this? I'm thinking more samba than zimbra ldap, but someone here might have a clue.

    I followed the UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki
    doco with some additions from the more recent smb.conf(5) man page.

    smb.conf looks like this:
    workgroup = test
    server string = Samba PDC Server Version %v
    interfaces = lo, eth0
    passdb backend = ldapsam:"ldap://"
    log level = 5 passdb: 10 auth:10 winbind: 5
    log file = /var/log/samba/log.%m
    max log size = 50
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    add user script = /usr/sbin/useradd --quiet --disabled-password --gecos "" -n -g staff "%u"
    delete user script = /usr/sbin/userdel "%u"
    add group script = /usr/sbin/groupadd "%g"
    delete group script = /usr/sbin/groupdel "%g"
    delete user from group script = /usr/sbin/userdel "%u" "%g"
    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false --disabled-password --gecos "machine account" --force-badname "%u"
    logon script = %u.bat
    logon path = \\%L\%U
    domain logons = Yes
    os level = 33
    preferred master = Yes
    domain master = Yes
    wins support = Yes
    ldap admin dn = uid=zimbra,cn=admins,cn=zimbra
    ldap delete dn = Yes
    ldap group suffix = ou=groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=machines
    ldap suffix = dc=test,dc=com
    ldap user suffix = ou=people
    idmap backend = ldap:ldap://
    idmap uid = 1000-50000
    idmap gid = 1000-50000
    ldapsam:trusted = Yes
    ldapsam:editposix = Yes
    cups options = raw

    dn: sambaDomainName=TEST,dc=test,dc=com
    sambaDomainName: TEST
    sambaSID: S-1-5-21-1561061390-3309481903-831651774
    sambaAlgorithmicRidBase: 1000
    objectClass: sambaDomain
    sambaNextUserRid: 1000
    sambaMinPwdLength: 5
    sambaPwdHistoryLength: 0
    sambaLogonToChgPwd: 0
    sambaMaxPwdAge: -1
    sambaMinPwdAge: 0
    sambaLockoutDuration: 30
    sambaLockoutObservationWindow: 30
    sambaLockoutThreshold: 0
    sambaForceLogoff: -1
    sambaRefuseMachinePwdChange: 0
    sambaNextRid: 1024

    dn: cn=Domain Computers,ou=groups,dc=test,dc=com
    sambaGroupType: 2
    cn: Domain Computers
    sambaSID: S-1-5-21-1561061390-3309481903-831651774-515
    gidNumber: 515
    objectClass: posixGroup
    objectClass: sambaGroupMapping

  2. #2
    Join Date
    Sep 2006
    Rep Power


    I should add this as well:
    net groupmap list
    Domain Admins (S-1-5-21-1561061390-3309481903-831651774-512) -> Domain Admins
    Domain Users (S-1-5-21-1561061390-3309481903-831651774-513) -> Domain Users
    Domain Computers (S-1-5-21-1561061390-3309481903-831651774-515) -> Domain Computers
    Domain Guests (S-1-5-21-1561061390-3309481903-831651774-514) -> Domain Guests
    Domain Controllers (S-1-5-21-1561061390-3309481903-831651774-516) -> Domain Controllers

  3. #3
    Join Date
    Sep 2006
    Rep Power


    Me again,

    found this thread:

    which I followed but it didn't help.

    what I did find though was in my smb.conf I had
    ldapsam:editposix = Yes
    changing that to No fixed my issues - for the record.

Similar Threads

  1. applying samba/posix schemas to existing accounts
    By maumar in forum Administrators
    Replies: 1
    Last Post: 08-27-2007, 09:53 AM
  2. Replies: 1
    Last Post: 07-03-2007, 09:14 PM
  3. Samba extension on existing install?
    By bersrker in forum Administrators
    Replies: 8
    Last Post: 05-17-2007, 10:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts