[Samba] unable to map windows to unix groups
Douglas VanLeuven
roamdad at sonic.net
Mon Aug 11 00:50:55 GMT 2008
jcdole at free.fr wrote:
> As I said, I did a fresh install of opensuse 10.3, samba, ldap.
>
> During the process, I filled the ldap database directly with an ldif file built
> using smbldap tools.
>
> (one item in that file -->
>
> dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
> sambaGroupType: 2
> displayName: Domain Admins
> description: Netbios Domain Administrators
> #sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
> #description: Netbios Domain Administrators
> )
>
> So you mean by doing this it is not necessary to map the native existing unix
> group "ntadmin" (gid 71) with "Domain Admins" ?
> (ntadmin appear in /etc/group and "Domain Admins" not)
When you do getent group you're getting what's in the local /etc/group
and what's defined in the ldap group membership. See gidNumber above.
Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd
and /etc/group membership so passwd and group uid/gid's can be defined
system wide and used by any unix machine.
So yes. Users belonging to group 512 are "Domain Admins". You need to
add users to this group when you want them to have related security
privileges. You should be able to chgrp 512 filename and have it show
as "Domain Admins" when you ls the directory. I haven't used the
smbldap tools package, but it looks like the most common windows groups
have already been defined for you. All you need to do is avoid using
the ldap passwd & group uid/gids in the local files. Yast tools will
probably not allow you to generate duplicates.
And yes, you only need to map groups when the unix name doesn't match
the windows name and you don't want samba to create the account on the
fly using whatever idmap backend you pick. Your idmap backend should
probably be idmap_ldap and accounts generated then become available
system wide using the same uid/gid's and network file sharing offers the
same membership security regardless of client machine access.
This is probably in a FAQ somewhere where the answer would be more
structured. I use the following to resolve my issues:
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://us6.samba.org/samba/docs/man/Samba-Guide/
Since samba is evolving almost daily, sometime the Howto syntax has been
modified in the current manifestation of the command. Always refer to
the current command documentation to resolve any discrepancies.
Doug
>
> Reading the samba documentation was not very clear for me.
>
> jcdole
>
>
> Selon Douglas VanLeuven <roamdad at sonic.net>:
>> It looks like you already have an existing unix group called "Domain
>> Admins" being pulled in from ldap. When that is true, there is no need
>> for groupmap and indeed it would appear it is illegal to map a windows
>> group that matches an existing unix group to another unix group.
>>
>> Doug
>>
>>
>> jcdole at free.fr wrote:
>>> Hello.
>>>
>>> After fresh install.
>>>
>>> Samba and ldap seems to run normally ( I can join win2k workstation to
>> linux
>>> samba pdc ).
>>>
>>> Using yast I create a system group named domadmin
>>>
>>> But I am unable to map "Domain Admins" to domadmin
>>> I am unable to map "Domain Admins" to existing ntadmin group
>>>
>>> I am unable to mofify mapping "Domain Admins" to domadmin group
>>>
>>> Thank you for helping.
>>>
>>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
>>> rid=512 type=d
>>> adding entry for group Domain Admins failed!
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
>> rid=512
>>> type=d
>>> adding entry for group Domain Admins failed!
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
>>> Can't map to an unknown group type.
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
>> unixgroup=domadmin
>>> type=d
>>> Could not update group database
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV:~ net groupmap list
>>> request done: ld 0x555555c881e0 msgid 1
>>> request done: ld 0x555555c881e0 msgid 2
>>> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
>> Admins
>>> request done: ld 0x555555c881e0 msgid 3
>>> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
>> Users
>>> request done: ld 0x555555c881e0 msgid 4
>>> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
>> Guests
>>> request done: ld 0x555555c881e0 msgid 5
>>> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
>>> Computers
>>> request done: ld 0x555555c881e0 msgid 6
>>> Administrators (S-1-5-32-544) -> Administrators
>>> request done: ld 0x555555c881e0 msgid 7
>>> Account Operators (S-1-5-32-548) -> Account Operators
>>> request done: ld 0x555555c881e0 msgid 8
>>> Print Operators (S-1-5-32-550) -> Print Operators
>>> request done: ld 0x555555c881e0 msgid 9
>>> Backup Operators (S-1-5-32-551) -> Backup Operators
>>> request done: ld 0x555555c881e0 msgid 10
>>> Replicators (S-1-5-32-552) -> Replicators
>>> request done: ld 0x555555c881e0 msgid 11
>>> Users (S-1-5-32-545) -> 15000
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # getent group
>>> at:!:25:
>>> ..............
>>> ..............
>>> domadmin:x:114:
>>> root:x:0:
>>> ...............
>>> ..............
>>> users:x:100:
>>> +::0:
>>> request done: ld 0x618d10 msgid 1
>>> Domain Admins:*:512:root,user_admin
>>> Domain Users:*:513:
>>> Domain Guests:*:514:
>>> Domain Computers:*:515:
>>> Administrators:*:544:
>>> Account Operators:*:548:
>>> Print Operators:*:550:
>>> Backup Operators:*:551:
>>> Replicators:*:552:
>>> request done: ld 0x618d10 msgid 2
>> It looks like you already have an existing unix group called "Domain
>> Admins" being pulled in from ldap. When that is true, there is no need
>> for groupmap and indeed it would appear it is illegal to map a windows
>> group that matches an existing unix group to another unix group.
>>
>> Doug
>>
>>
>
More information about the samba
mailing list