Bug 5076 - sambaUserWorkstations not working with groups of computers and LDAP.
Summary: sambaUserWorkstations not working with groups of computers and LDAP.
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.26a
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL: http://lists.samba.org/archive/samba/...
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-12 04:27 UTC by Frederic Nass
Modified: 2020-02-14 20:21 UTC (History)
1 user (show)

See Also:


Attachments
Config and Log Files (162.20 KB, application/x-compressed-tar)
2007-11-12 04:30 UTC, Frederic Nass
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Frederic Nass 2007-11-12 04:27:17 UTC
Hello,

Test environment :

Server : Debian 4 up-to-date with debian original samba 3.0.24 (same with 3.0.26a) and slapd 2.3.30. 
Workstations : Windows XP SP2 up-to-date, firewall deactivated, joined to TEST domain. Workstations access to domain and shares is ok.

Problem description : 

When using LDAP as a backend, trying to restrict users access by groups of machines fails. Without compile option CFLAGS=-DNO_LDAP_SECURITY, the samba ldap bind fails with this error message : "smbldap_open: cannot access LDAP when not root.."

Using a simple list of comma separated computer names is ok, but dealing with groups of machines (+groupname) in sambaUserWorkstations attribute gives the error.

More infos here : http://lists.samba.org/archive/samba/2007-November/136188.html

Here are the config and log files :


slapd.conf :

=============================================================================

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel       936
modulepath	/usr/lib/ldap
moduleload	back_bdb
sizelimit 500
tool-threads 1
backend		bdb
checkpoint 512 30
database        bdb
suffix          "dc=test,dc=org"
rootdn          "cn=Manager,dc=test,dc=org"
rootpw		"{SSHA}dMWj1rhnVV8oPWx3jUoilcwew5ZfTTN9"

directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
index cn	pres,sub,eq
index sn	pres,sub,eq
index uid	pres,sub,eq
index displayName	pres,sub,eq
index sambaSID	eq
index sambaGroupType	eq
index sambaSIDlist	eq
index sambaPrimaryGroupSID	eq
index sambaDomainName	eq
index default	sub
index memberUid	eq
index uniqueMember	eq
index gidNumber	eq
lastmod         on
access to attrs=userPassword,shadowLastChange
        by dn="cn=Manager,dc=test,dc=org" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=Manager,dc=test,dc=org" write
        by * read


=============================================================================

smb.conf :

=============================================================================

[global]
   workgroup = TEST
   server string = %h server
   wins support = yes
;   wins server = w.x.y.z
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   interfaces = eth3
   bind interfaces only = true
   log file = /var/log/samba/%m.log
   log level = 10
   debug timestamp=yes
   enable privileges = yes
   max log size = 1000
;   syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldap://127.0.0.1
;   obey pam restrictions = yes
;   guest account = nobody
;   invalid users = root
ldap delete dn = yes
ldap admin dn = cn=Manager,dc=test,dc=org
ldap suffix = dc=test,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
;   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
;   pam password change = no
   domain logons = yes
   local master = yes
   domain master = yes
   preferred master = yes
   admin users = admin
   logon path = \\%N\profiles\%U
;   logon path = \\%N\%U\profile
   logon drive = H:
;   logon home = \\%N\%U
   logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = smbldap-useradd -w -i -n "%u"
;   load printers = yes
;   printing = bsd
;   printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups
;   printer admin = @ntadmin
;   include = /home/samba/etc/smb.conf.%m
   socket options = TCP_NODELAY
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash
;
; The following was the default behaviour in sarge
; but samba upstream reverted the default because it might induce
; performance issues in large organizations
; See #368251 for some of the consequences of *not* having
; this setting and smb.conf(5) for all details
;
;   winbind enum groups = yes
;   winbind enum users = yes
[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   create mask = 0700
   directory mask = 0701
   valid users = %S
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700


=============================================================================

slapcat :

=============================================================================

dn: dc=test,dc=org
objectClass: dcObject
objectClass: organization
o: test
dc: test
structuralObjectClass: organization
entryUUID: ba7b4ecc-230f-102c-8329-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000000#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: ou=Users,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Users
structuralObjectClass: organizationalUnit
entryUUID: ba828cb4-230f-102c-832a-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000001#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: ou=Groups,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: ba83e32a-230f-102c-832b-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: ou=Computers,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
entryUUID: ba86c568-230f-102c-832c-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000003#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: ou=Idmap,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
entryUUID: ba898f46-230f-102c-832d-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000004#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: uid=admin,ou=Users,dc=test,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\debian\root
sambaHomeDrive: H:
sambaProfilePath: \\debian\profiles\root
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: ba8c0b0e-230f-102c-832e-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
sambaLMPassword: D951BB3435BD40A4613E9293942509F0
sambaAcctFlags: [U]
sambaNTPassword: A62E0E459DB9308715C18486FCEDB902
sambaPwdLastSet: 1194613339
sambaPwdMustChange: 1198501339
userPassword:: e1NTSEF9QXZPVk40d25zQlVWelIxajJYZ21hTWVWVzg1M1JucHQ=
sambaSID: S-1-5-21-747375223-3054175255-2287932516-3040
uidNumber: 1020
gidNumber: 512
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-512
uid: admin
sn: admin
cn: admin
entryCSN: 20071110081146Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110081146Z

dn: uid=nobody,ou=Users,dc=test,dc=org
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\debian\nobody
sambaHomeDrive: H:
sambaProfilePath: \\debian\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-747375223-3054175255-2287932516-2998
loginShell: /bin/false
structuralObjectClass: inetOrgPerson
entryUUID: ba97a66c-230f-102c-832f-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000006#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Domain Admins,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
description: Netbios Domain Administrators
sambaSID: S-1-5-21-747375223-3054175255-2287932516-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: ba98f350-230f-102c-8330-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
memberUid: admin
entryCSN: 20071110081146Z#000003#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110081146Z

dn: cn=Domain Users,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-747375223-3054175255-2287932516-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: baa1bce2-230f-102c-8331-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000008#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Domain Guests,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-747375223-3054175255-2287932516-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: baa6ace8-230f-102c-8332-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#000009#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Domain Computers,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-747375223-3054175255-2287932516-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: baaa8ed0-230f-102c-8333-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000a#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Administrators,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: baae12d0-230f-102c-8334-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000b#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Account Operators,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
structuralObjectClass: posixGroup
entryUUID: baaf6248-230f-102c-8335-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000c#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Print Operators,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
structuralObjectClass: posixGroup
entryUUID: bab33332-230f-102c-8336-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000d#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Backup Operators,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
structuralObjectClass: posixGroup
entryUUID: bab5ddd0-230f-102c-8337-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000e#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: cn=Replicators,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
structuralObjectClass: posixGroup
entryUUID: bab976f2-230f-102c-8338-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
entryCSN: 20071109130211Z#00000f#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071109130211Z

dn: sambaDomainName=TEST,dc=test,dc=org
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: TEST
sambaSID: S-1-5-21-747375223-3054175255-2287932516
uidNumber: 1000
gidNumber: 1000
structuralObjectClass: sambaDomain
entryUUID: babc2f14-230f-102c-8339-fbe086d6d9f5
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071109130211Z
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
entryCSN: 20071112083223Z#000001#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071112083223Z

dn: cn=groupe1,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: groupe1
gidNumber: 5000
sambaSID: S-1-5-21-747375223-3054175255-2287932516-11001
sambaGroupType: 2
displayName: groupe1
memberUid: toto
structuralObjectClass: posixGroup
entryUUID: f9d4db56-239b-102c-870f-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000000#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: uid=pc1$,ou=Computers,dc=test,dc=org
cn: pc1$
sn: pc1$
uid: pc1$
uidNumber: 1002
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-747375223-3054175255-2287932516-3004
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515
sambaAcctFlags: [W          ]
sambaPwdCanChange: 1194446962
sambaNTPassword: 66E7582F74C1402026F89C7D9827835F
sambaPwdLastSet: 1194446962
structuralObjectClass: inetOrgPerson
entryUUID: f9d780a4-239b-102c-8710-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000001#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: uid=toto,ou=Users,dc=test,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: toto
sn: toto
givenName: toto
uid: toto
uidNumber: 1003
gidNumber: 513
homeDirectory: /home/toto
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-747375223-3054175255-2287932516-3006
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-513
sambaLogonScript: logon.bat
sambaProfilePath: \\debian\profiles\toto
sambaHomePath: \\debian\toto
sambaHomeDrive: H:
sambaLMPassword: BAC14D04669EE1D1AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: FBBF55D0EF0E34D39593F55C5F2CA5F2
sambaPwdLastSet: 1194447210
sambaPwdMustChange: 1198335210
userPassword:: e1NTSEF9UjhmT0E5U2dzM21FQm10YXhLQVhRd2VnbXV0cFR6WTU=
sambaUserWorkstations: PC1,+salle1
structuralObjectClass: inetOrgPerson
entryUUID: f9d849da-239b-102c-8711-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000002#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: uid=pc3$,ou=Computers,dc=test,dc=org
cn: pc3$
sn: pc3$
uid: pc3$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-747375223-3054175255-2287932516-3008
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515
sambaAcctFlags: [W          ]
sambaPwdCanChange: 1194448365
sambaNTPassword: 2C8802341C1D7F79A358F6B722094859
sambaPwdLastSet: 1194448365
structuralObjectClass: inetOrgPerson
entryUUID: f9db099a-239b-102c-8712-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000003#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: uid=pc2$,ou=Computers,dc=test,dc=org
cn: pc2$
sn: pc2$
uid: pc2$
uidNumber: 1005
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-747375223-3054175255-2287932516-3010
sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515
sambaAcctFlags: [W          ]
sambaPwdCanChange: 1194448427
sambaNTPassword: 1AA35F78B079985CE16DEC5BDDB33493
sambaPwdLastSet: 1194448427
structuralObjectClass: inetOrgPerson
entryUUID: f9dcffe8-239b-102c-8713-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000004#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: cn=salle1,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: salle1
gidNumber: 4000
sambaSID: S-1-5-21-747375223-3054175255-2287932516-9001
sambaGroupType: 2
displayName: salle1
memberUid: PC1$
memberUid: PC2$
memberUid: pc1$
memberUid: pc2$
structuralObjectClass: posixGroup
entryUUID: f9ddc770-239b-102c-8714-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000005#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

dn: cn=salle2,ou=Groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: salle2
gidNumber: 4001
sambaSID: S-1-5-21-747375223-3054175255-2287932516-9003
sambaGroupType: 2
displayName: salle2
memberUid: PC3$
structuralObjectClass: posixGroup
entryUUID: f9de8552-239b-102c-8715-91036c1e67e9
creatorsName: cn=Manager,dc=test,dc=org
createTimestamp: 20071110054606Z
entryCSN: 20071110054606Z#000006#00#000000
modifiersName: cn=Manager,dc=test,dc=org
modifyTimestamp: 20071110054606Z

=============================================================================

testparm -v :

=============================================================================
[global]
	dos charset = CP850
	unix charset = UTF-8
	display charset = LOCALE
	workgroup = TEST
	realm = 
	netbios name = DEBIAN
	netbios aliases = 
	netbios scope = 
	server string = %h server
	interfaces = eth3
	bind interfaces only = Yes
	security = USER
	auth methods = 
	encrypt passwords = Yes
	update encrypted = No
	client schannel = Auto
	server schannel = Auto
	allow trusted domains = Yes
	map to guest = Never
	null passwords = No
	obey pam restrictions = No
	password server = *
	smb passwd file = /etc/samba/smbpasswd
	private dir = /etc/samba
	passdb backend = ldapsam:ldap://127.0.0.1
	algorithmic rid base = 1000
	root directory = 
	guest account = nobody
	enable privileges = Yes
	pam password change = No
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd chat debug = No
	passwd chat timeout = 2
	check password script = 
	username map = 
	password level = 0
	username level = 0
	unix password sync = No
	restrict anonymous = 0
	lanman auth = Yes
	ntlm auth = Yes
	client NTLMv2 auth = No
	client lanman auth = Yes
	client plaintext auth = Yes
	preload modules = 
	use kerberos keytab = No
	log level = 10
	syslog = 0
	syslog only = No
	log file = /var/log/samba/%m.log
	max log size = 1000
	debug timestamp = Yes
	debug hires timestamp = No
	debug pid = No
	debug uid = No
	enable core files = Yes
	smb ports = 445 139
	large readwrite = Yes
	max protocol = NT1
	min protocol = CORE
	read bmpx = No
	read raw = Yes
	write raw = Yes
	disable netbios = No
	reset on zero vc = No
	acl compatibility = auto
	defer sharing violations = Yes
	nt pipe support = Yes
	nt status support = Yes
	announce version = 4.9
	announce as = NT
	max mux = 50
	max xmit = 16644
	name resolve order = lmhosts host wins bcast
	max ttl = 259200
	max wins ttl = 518400
	min wins ttl = 21600
	time server = No
	unix extensions = Yes
	use spnego = Yes
	client signing = auto
	server signing = No
	client use spnego = Yes
	enable asu support = No
	svcctl list = 
	deadtime = 0
	getwd cache = Yes
	keepalive = 300
	kernel change notify = Yes
	fam change notify = Yes
	lpq cache time = 30
	max smbd processes = 0
	paranoid server security = Yes
	max disk size = 0
	max open files = 10000
	open files database hash size = 10007
	socket options = TCP_NODELAY
	use mmap = Yes
	hostname lookups = No
	name cache timeout = 660
	load printers = Yes
	printcap cache time = 750
	printcap name = 
	cups server = 
	iprint server = 
	disable spoolss = No
	addport command = 
	enumports command = 
	addprinter command = 
	deleteprinter command = 
	show add printer wizard = Yes
	os2 driver map = 
	mangling method = hash2
	mangle prefix = 1
	max stat cache size = 0
	stat cache = Yes
	machine password timeout = 604800
	add user script = 
	rename user script = 
	delete user script = 
	add group script = 
	delete group script = 
	add user to group script = 
	delete user from group script = 
	set primary group script = 
	add machine script = smbldap-useradd -w -i -n "%u"
	shutdown script = 
	abort shutdown script = 
	username map script = 
	logon script = logon.cmd
	logon path = \\%N\profiles\%U
	logon drive = H:
	logon home = \\%N\%U
	domain logons = Yes
	os level = 20
	lm announce = Auto
	lm interval = 60
	preferred master = Yes
	local master = Yes
	domain master = Yes
	browse list = Yes
	enhanced browsing = Yes
	dns proxy = No
	wins proxy = No
	wins server = 
	wins support = Yes
	wins hook = 
	kernel oplocks = Yes
	lock spin count = 3
	lock spin time = 10
	oplock break wait time = 0
	ldap admin dn = cn=Manager,dc=test,dc=org
	ldap delete dn = Yes
	ldap group suffix = ou=Groups
	ldap idmap suffix = 
	ldap machine suffix = ou=Computers
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap suffix = dc=test,dc=org
	ldap ssl = 
	ldap timeout = 15
	ldap page size = 1024
	ldap user suffix = ou=Users
	add share command = 
	change share command = 
	delete share command = 
	eventlog list = 
	config file = 
	preload = 
	lock directory = 
	pid directory = /var/run/samba
	utmp directory = 
	wtmp directory = 
	utmp = No
	default service = 
	message command = 
	get quota command = 
	set quota command = 
	remote announce = 
	remote browse sync = 
	socket address = 0.0.0.0
	homedir map = auto.home
	afs username map = 
	afs token lifetime = 604800
	log nt token command = 
	time offset = 0
	NIS homedir = No
	usershare allow guests = No
	usershare max shares = 0
	usershare owner only = Yes
	usershare path = /var/run/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	panic action = /usr/share/samba/panic-action %d
	host msdfs = Yes
	passdb expand explicit = No
	idmap backend = 
	idmap uid = 
	idmap gid = 
	template homedir = /home/%D/%U
	template shell = /bin/false
	winbind separator = \
	winbind cache time = 300
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = No
	winbind trusted domains only = No
	winbind nested groups = Yes
	winbind nss info = template
	winbind refresh tickets = No
	winbind offline logon = No
	comment = 
	path = 
	username = 
	invalid users = 
	valid users = 
	admin users = admin
	read list = 
	write list = 
	printer admin = 
	force user = 
	force group = 
	read only = Yes
	acl check permissions = Yes
	acl group control = No
	acl map full control = Yes
	create mask = 0744
	force create mode = 00
	security mask = 0777
	force security mode = 00
	directory mask = 0755
	force directory mode = 00
	directory security mask = 0777
	force directory security mode = 00
	force unknown acl user = No
	inherit permissions = No
	inherit acls = No
	inherit owner = No
	guest only = No
	guest ok = No
	only user = No
	hosts allow = 
	hosts deny = 
	allocation roundup size = 1048576
	aio read size = 0
	aio write size = 0
	aio write behind = 
	ea support = No
	nt acl support = Yes
	profile acls = No
	map acl inherit = No
	afs share = No
	block size = 1024
	change notify timeout = 60
	max connections = 0
	min print space = 0
	strict allocate = No
	strict sync = No
	sync always = No
	use sendfile = No
	write cache size = 0
	max reported print jobs = 0
	max print jobs = 1000
	printable = No
	printing = bsd
	cups options = 
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	lppause command = 
	lpresume command = 
	queuepause command = 
	queueresume command = 
	printer name = 
	use client driver = No
	default devmode = Yes
	force printername = No
	default case = lower
	case sensitive = Auto
	preserve case = Yes
	short preserve case = Yes
	mangling char = ~
	hide dot files = Yes
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	delete veto files = No
	veto files = 
	hide files = 
	veto oplock files = 
	map archive = Yes
	map hidden = No
	map system = No
	map readonly = yes
	mangled names = Yes
	mangled map = 
	store dos attributes = No
	dmapi support = No
	browseable = Yes
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	locking = Yes
	oplocks = Yes
	level2 oplocks = Yes
	oplock contention limit = 2
	posix locking = Yes
	strict locking = Auto
	share modes = Yes
	dfree cache time = 0
	dfree command = 
	copy = 
	include = 
	preexec = 
	preexec close = No
	postexec = 
	root preexec = 
	root preexec close = No
	root postexec = 
	available = Yes
	volume = 
	fstype = NTFS
	set directory = No
	wide links = Yes
	follow symlinks = Yes
	dont descend = 
	magic script = 
	magic output = 
	delete readonly = No
	dos filemode = No
	dos filetimes = Yes
	dos filetime resolution = No
	fake directory create times = No
	vfs objects = 
	msdfs root = Yes
	msdfs proxy = 

[homes]
	comment = Home Directories
	valid users = %S
	read only = No
	create mask = 0700
	directory mask = 0701

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
=============================================================================

Log files (slapd level : 326, samba level : 10) with default debian samba 3.0.24 (and LDAP_SECURITY) :

part of pc2.log (samba log) when login fails on PC2 :

=============================================================================
[2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179)
  smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=4000))], scope => [2]
[2007/11/12 09:17:50, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 4000
[2007/11/12 09:17:50, 10] lib/smbldap.c:smbldap_get_single_attribute(276)
  smbldap_get_single_attribute: [description] = [<does not exist>]
[2007/11/12 09:17:50, 10] passdb/lookup_sid.c:gid_to_sid(1149)
  gid_to_sid: local 4000 -> S-1-5-21-747375223-3054175255-2287932516-9001
[2007/11/12 09:17:50, 3] passdb/lookup_sid.c:store_gid_sid_cache(1059)
  store_gid_sid_cache: gid 4000 in cache -> S-1-5-21-747375223-3054175255-2287932516-9001
[2007/11/12 09:17:50, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 544 -> S-1-5-32-544
[2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179)
  smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => [2]
[2007/11/12 09:17:50, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
  ldapsam_getgroup: Did not find group
[2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179)
  smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))], scope => [2]
[2007/11/12 09:17:50, 0] lib/smbldap.c:smbldap_open(1009)
  smbldap_open: cannot access LDAP when not root..
[2007/11/12 09:17:50, 10] auth/auth_util.c:add_aliases(653)
  pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
[2007/11/12 09:17:50, 10] auth/auth_util.c:user_in_group_sid(1277)
  could not create token for PC2$
[2007/11/12 09:17:50, 5] auth/auth.c:check_ntlm_password(273)
  check_ntlm_password: sam authentication for user [toto] FAILED with error NT_STATUS_INVALID_WORKSTATION
[2007/11/12 09:17:50, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [TEST] was for this SAM.
[2007/11/12 09:17:50, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: winbind had nothing to say
[2007/11/12 09:17:50, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [toto] -> [toto] FAILED with error NT_STATUS_INVALID_WORKSTATION
[2007/11/12 09:17:50, 5] auth/auth_util.c:free_user_info(1867)
  attempting to free (and zero) a user_info structure
[2007/11/12 09:17:50, 10] auth/auth_util.c:free_user_info(1871)
  structure was created for toto
[2007/11/12 09:17:50, 5] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
  _net_sam_logon: check_password returned status NT_STATUS_INVALID_WORKSTATION
=============================================================================

part of the syslog when login fails on pc2$ :

=============================================================================
Nov 12 09:17:50 debian slapd[8566]:  
Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 21 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: AND 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: end get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SRCH base="dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))" 
Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SRCH attr=gidNumber 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IOR 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=8 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=8 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=1 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=1 last=0 
Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Nov 12 09:17:50 debian slapd[8566]: daemon: activity on 1 descriptor 
Nov 12 09:17:50 debian slapd[8566]: daemon: activity on:
Nov 12 09:17:50 debian slapd[8566]:  10r
Nov 12 09:17:50 debian slapd[8566]:  
Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 10 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: AND 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: end get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SRCH base="ou=Groups,dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))" 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IOR 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 
Nov 12 09:17:50 debian slapd[8566]: => test_filter 
Nov 12 09:17:50 debian slapd[8566]:     AND 
Nov 12 09:17:50 debian slapd[8566]: => test_filter_and 
Nov 12 09:17:50 debian slapd[8566]: => test_filter 
Nov 12 09:17:50 debian slapd[8566]:     EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: search access to "cn=salle1,ou=Groups,dc=test,dc=org" "objectClass" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 
Nov 12 09:17:50 debian slapd[8566]: => test_filter 
Nov 12 09:17:50 debian slapd[8566]:     EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: search access to "cn=salle1,ou=Groups,dc=test,dc=org" "gidNumber" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 
Nov 12 09:17:50 debian slapd[8566]: <= test_filter_and 6 
Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "entry" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "objectClass" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "cn" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "gidNumber" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "sambaSID" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "sambaGroupType" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "displayName" requested 
Nov 12 09:17:50 debian slapd[8566]: <= root access granted 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 ENTRY dn="cn=salle1,ou=groups,dc=test,dc=org" 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Nov 12 09:17:50 debian slapd[8566]: daemon: activity on 1 descriptor 
Nov 12 09:17:50 debian slapd[8566]: daemon: activity on:
Nov 12 09:17:50 debian slapd[8566]:  10r
Nov 12 09:17:50 debian slapd[8566]:  
Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 10 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: AND 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: begin get_filter 
Nov 12 09:17:50 debian slapd[8566]: EQUALITY 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: end get_filter_list 
Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SRCH base="ou=Groups,dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))" 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IOR 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IAND 
Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 
Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates 
Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=8 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=8 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=3 last=0 
Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=3 last=0 
Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Nov 12 09:17:56 debian exiting on signal 15
=============================================================================

Part of the source sode : auth_sam.c

=============================================================================
	if (*workstation_list) {
		BOOL invalid_ws = True;
		fstring tok;
		const char *s = workstation_list;

		const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name);
		if (machine_name == NULL)
			return NT_STATUS_NO_MEMORY;
			
			
		while (next_token(&s, tok, ",", sizeof(tok))) {
			DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n",
				  tok, user_info->wksta_name));
			if(strequal(tok, user_info->wksta_name)) {
				invalid_ws = False;
				break;
			}
			if (tok[0] == '+') {
				DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", 
					machine_name, tok + 1));
				if (user_in_group(machine_name, tok + 1)) {
					invalid_ws = False;
					break;
				}
			}
		}
		
		if (invalid_ws) 
			return NT_STATUS_INVALID_WORKSTATION;
	}
=============================================================================


Complete config and (a little bit longer) log files can be found here :

http://www.fichiers.univ-metz.fr/depot/nass/samba-debug.tgz

Also available in this .tgz, logfiles of a samba build with same options than default debian build options but with CFLAGS=-DNO_LDAP_SECURITY. Wich makes it working...

By the way... What are or would be the consequences of using this (LDAP security off) samba build ?

Bug ?

Thanks for any help,

Frédéric Nass
Université de Metz,
Service S2i - IUT de Metz,
tél : +33387547736
Comment 1 Frederic Nass 2007-11-12 04:30:27 UTC
Created attachment 2964 [details]
Config and Log Files

This is the complete config and (a little bit longer) log files that can also be found here : http://www.fichiers.univ-metz.fr/depot/nass/samba-debug.tgz
Comment 2 Björn Jacke 2020-02-14 20:21:53 UTC
userWorkstations is not designed to work with groups