[Samba] Samba domain member and wheel group

Tom McLaughlin tmclaugh at sdf.lonestar.org
Fri Sep 9 03:16:25 GMT 2005 

Okay, got the answer so I'm just replying so this ends up in the
archives for posterity so someone else may might not rack their brains.
The following is for mapping a domain group to a local Unix group on a
machine running samba in a domain member role.

DOMAIN = MEDITECH
MACHINE = PINKFLOYD
domain wide admin group = Domain Server Admin
Unix user group = wheel

1) Add nested group support in smb.conf and restart:
winbind nested groups = yes


2) Create a local SMB group on the machine.
net rpc group add "Unix Admins" -L -U PINKFLOYD+root 
					^^^^^
- Took me a while to realize since root isn't in the domain, I needed to
specify the local machine name.


3) Add the domain wide admin group to the new local group:
net rpc addmem "Unix Admins" "MEDITECH\Domain Server Admin" -U PINKFLOYD
+root


4) Map the new local SMB group to the Unix admin group:
net groupmap modify ntgroup="Unix Admins" unixgroup=wheel

I hope this helps someone else.  It was the creation of the local SMB
group that tripped me up the entire time.

Thanks,
tom


On Tue, 2005-09-06 at 21:06 -0400, Tom McLaughlin wrote:
> Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
> as a domain member to an existing Windows domain with a Windows PDC.
> The box running Samba has no local unix users and groups except for root
> and the other builtin accounts.  All user authentication is done through
> pam_winbind and user information is handled by winbind.  What I would
> like to do is have users that are members of the Windows domian's Unix
> Admin global group gain membership to the local unix wheel group when
> they login via ssh to the Linux box.  Preferably without needing to
> touch the /etc/groups file at all.
> 
> I've read chapters 11 and 12 of the Samba How-To and I tried the
> following on the domain member running Samba based on the How-To:
> 
> net groupmap add ntgroup="Unix Admin" unixgroup=wheel
> 
> But when I ssh'ed in as my user who is a member of the Unix Admin group
> and run `groups` I do not see myself as a member of the wheel group.  I
> also can't alter files with wheel write permissions.  
> 
> After looking at the output of `net getdomainsid` and `net groupmap
> list` (by this time I had already deleted the Unix Admin -> wheel
> groupmap) I realized that the SIDs I see in the groupmap list correspond
> to the SID of the local machine and not the domain.  I also see that
> Unix Admin is not even listed as a group when I check the groups on the
> machine.
> 
> 
> [root at pinkfloyd ~]# net getdomainsid
> SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
> SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200
> 
> 
> [root at pinkfloyd ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
> Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
> Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> 
> My question is how should I be going about mapping my domain group
> members so they gain membership to a local Unix group while they're
> logged in?  I've read the chapters in the How-To but I'm definitely
> missing something.  I realize now that I can't simply groupmap "Unix
> Admin" to wheel so there must be some intermediate steps in between.
> Can someone point me in the right direction?  Thanks.
> 
> Tom
> 
> 
> smb.conf:
> 
> # Global parameters
> [global]
>         workgroup = MEDITECH
>         server string = Samba Server
>         security = DOMAIN
>         password server = meditech3
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         name resolve order = lmhosts wins bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = /etc/printcap
>         os level = 0
>         preferred master = No
>         local master = No
>         domain master = No
>         dns proxy = No
>         wins server = lb:172.30.48.2, canton:172.30.16.2
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind separator = +
>         winbind use default domain = Yes
>         cups options = raw
> 
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
> 
> [public]
>         comment = Public Stuff
>         path = /var/samba/public
>         write list = "@Domain Server Admin"
>         guest ok = Yes
> 
> 
> -- 
> BSD# Project - Mono on FreeBSD
> http://www.mono-project.com/Mono:FreeBSD
> 
-- 
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD

More information about the samba mailing list