[Samba] Samba domain member and wheel group
Tom McLaughlin
tmclaugh at sdf.lonestar.org
Wed Sep 7 01:06:22 GMT 2005
Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
as a domain member to an existing Windows domain with a Windows PDC.
The box running Samba has no local unix users and groups except for root
and the other builtin accounts. All user authentication is done through
pam_winbind and user information is handled by winbind. What I would
like to do is have users that are members of the Windows domian's Unix
Admin global group gain membership to the local unix wheel group when
they login via ssh to the Linux box. Preferably without needing to
touch the /etc/groups file at all.
I've read chapters 11 and 12 of the Samba How-To and I tried the
following on the domain member running Samba based on the How-To:
net groupmap add ntgroup="Unix Admin" unixgroup=wheel
But when I ssh'ed in as my user who is a member of the Unix Admin group
and run `groups` I do not see myself as a member of the wheel group. I
also can't alter files with wheel write permissions.
After looking at the output of `net getdomainsid` and `net groupmap
list` (by this time I had already deleted the Unix Admin -> wheel
groupmap) I realized that the SIDs I see in the groupmap list correspond
to the SID of the local machine and not the domain. I also see that
Unix Admin is not even listed as a group when I check the groups on the
machine.
[root at pinkfloyd ~]# net getdomainsid
SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200
[root at pinkfloyd ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
My question is how should I be going about mapping my domain group
members so they gain membership to a local Unix group while they're
logged in? I've read the chapters in the How-To but I'm definitely
missing something. I realize now that I can't simply groupmap "Unix
Admin" to wheel so there must be some intermediate steps in between.
Can someone point me in the right direction? Thanks.
Tom
smb.conf:
# Global parameters
[global]
workgroup = MEDITECH
server string = Samba Server
security = DOMAIN
password server = meditech3
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = lmhosts wins bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
os level = 0
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = lb:172.30.48.2, canton:172.30.16.2
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[public]
comment = Public Stuff
path = /var/samba/public
write list = "@Domain Server Admin"
guest ok = Yes
--
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD
More information about the samba
mailing list