domain groups information & observation

Luke Kenneth Casson Leighton lkcl at switchboard.net
Thu May 7 18:46:09 GMT 1998 

On Thu, 7 May 1998, Andrew Perrin - Demography wrote:

> Hmm.  domain groups = admins sounds suspiciously like I'll need to have a
> group on the unix side called admins... right?

nope.

>  Otherwise how will NT know who belongs to that group?

nt workstation knowing, and the administrator knowing because it's in
smb.conf are two different things that, in my mind, you have mixed up in
the two halves of your question.

nt workstation knows because it is told so through the LsaSamLogon
response.

> ---------------------------------------------------------------------
> Andrew J. Perrin - aperrin at demog.berkeley.edu - NT/Unix Admin/Support
> Department of Demography    -    University of California at Berkeley
> 2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA
> http://demog.berkeley.edu/~aperrin --------------------------SEIU1199
> 
> On Fri, 8 May 1998, Luke Kenneth Casson Leighton wrote:
> 
> > On Fri, 8 May 1998, Jeremy Allison wrote:
> > 
> > > Andrew Perrin - Demography wrote:
> > > > 
> > > > 1.) I'd be interested in any advice about using the domain groups stuff in
> > > > smb.conf -- specifically, how to map a unix group to an nt group (even
> > > > just unix:ntusers -> users and unix:ntadmins -> Administrators).  Has
> > > > anyone successfully done this?
> > > > 
> > > 
> > > That's something that needs work on in the code. It's on my
> > > todo list but it may take a couple of weeks to get to it (I
> > > need to fix the username map code first).
> > 
> > is it on dana canfield's TODO list?
> > 
> > no it isn't.  dana, can you put "add a 'map groupname' smb.conf parameter
> > which does what map username does, but for unix->nt groups, instead?" on
> > the "medium priority" TODO list?
> >  
> > > Hmmmm. I'm not a profiles expert (but I know a man who is :-).
> > > 
> > > Luke ..... comments ?
> > 
> > wheuuur!  what???  woke me up, there, for a minute.  yes, we may have a
> > bit of confusion where all users in "domain admin users" get mapped to the
> > same RID...
> > 
> > hm.  i seem to have made a mistake.  it is used in two places.  one is in
> > "name_to_rid()" where this converts _user_ RIDs to DOMAIN_USER_RID_ADMIN,
> > and also in "get_domain_user_groups()" where this converts _group_ RIDs to
> > DOMAIN_GROUP_RID_ADMINS.
> > 
> > oops.
> > 
> > AH!  try this:
> > 
> > "domain groups = admins".
> > 
> > :-)
> > 
>

More information about the samba-ntdom mailing list