[Samba] Group mapping not working consistently

Ben Tisdall ben at redcircleit.com
Tue May 29 19:47:14 GMT 2007 

I'm trying to understand why my group mapping doesn't work in a 
consistent fashion. I've studied "Important Samba-3.0.23 Change Notes" & 
  chapter 13 of TOSHARG but am still struggling. I'm on 3.0.23a-1.fc4.1 
(Fedora Core 4) as a PDC, tdbsam backend.

'net groupmap list' gives this:

Domain Power Users (S-1-5-21-1365060548-1276164359-2333037906-31037) -> 
pwrusers
Domain Webmasters (S-1-5-21-1365060548-1276164359-2333037906-31031) -> 
webmaster
Staff (S-1-5-21-1365060548-1276164359-2333037906-3057) -> staff
Domain Admins (S-1-5-21-1365060548-1276164359-2333037906-512) -> root
General Managers (S-1-5-21-1365060548-1276164359-2333037906-3051) -> genmgrs
Domain Guests (S-1-5-21-1365060548-1276164359-2333037906-514) -> nobody
Caseworkers (S-1-5-21-1365060548-1276164359-2333037906-3053) -> caseworkers

'getent group webmaster' outputs this:

webmaster:x:15015:foo,bar,foobar

And 'net rpc group members "Domain Webmasters"' gives:

REDRESSTRUST\foo
REDRESSTRUST\bar
REDRESSTRUST\foo

So far so good, but in the case of 'getent group caseworkers':

caseworkers:x:1026:foo,bar.foobar

'net rpc group members "Caseworkers"' prints nothing.

The problem seems to be related to GIDs - new unix groups are created 
with GIDs above 15000 & mapping works fine, but mapping to existing 
groups with GIDs in the 1000 area seems to fail.

Here's my smb.conf:

[global]
workgroup = REDRESSTRUST
passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n 
*Password*changed*
username map = /etc/samba/users.conf
syslog = 0
log level = 1
name resolve order = wins bcast hosts
time server = yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -a -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null "%u"
logon script = login.bat
logon drive = P:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
#idmap uid = 15000-20000
#idmap gid = 15000-20000

Cheers.
-- 
Ben Tisdall
RedCircle IT Ltd, London NW1.
www.redcircleit.com
ben at redcircleit.com
+44 (0)20 7387 0351
+44 (0)7932 745803

More information about the samba mailing list