[Samba] BUILTIN groups mapping via winbind!!

[herman]

Kaustubh Chaudhari wrote:
>      Hi all,
>
>    When i create a group in AD and adds users in the same than with
>    #getent group i can see the group and its members properly.
>
>    But if i add a user to BUILTIN say BUILTIN Guests group than i dont 
> see
>    its members.
>    ==
>     kktest:x:10026:kk,Administrator
>     BUILTIN+Guests:x:10019:
>    ==
>
>    Here i have added kk user to both kktest and BUILTIN+Guests group. 
> But i
>    cant see kk associated with BUILTIN Guests.
>
>    I know that BUILTIN groups have pre defined sid by microsoft, and its
>    mapping is done separately.(I found this in idmap.c)
>
>    Is this a normal behavior?
>
>    Would appreciate if someone can explain the reasons for this.
>
>    Regards,
>    Kaustubh.
In general you need to define an Organizational Unit (OU), then define 
your groups and users inside that OU.  It should then show up with Samba 
winbind.

Some don'ts:
Don't rename anything.
Don't drag and drop anything from one OU to another OU.
Don't make a user in one OU a member of a group in another OU.
It is even not a good idea to delete anything.
If you need to fix a typing mistake, define a new record - don't try to 
edit the mistake.
Make frequent backups of ADS.

Some dos:
Apply security policies to OUs, not to users.
Run ADS on VMware, so that you can take snapshots as backups.

The reason for the above cautions is that ADS (mostly) work using the 
GUIDs, while Samba uses the text strings. So you don't want to get in a 
situation where ADS re-use an old GUID and changes to text strings are 
applied inconsistently, which confuses winbind, so changing any text 
string after it has been defined can also screw things up.

'Hope that helps!

Herman