Inconsistency between groupmap "Domain Admins" and _lsa_add_acct_rights() checking

Nik Conwell nik at
Wed May 2 12:19:38 GMT 2007

(I guess this could be a HOWTO bug as well.)

I'm part of an AD domain.

To be considered an admin on the samba box, the howto 

   net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512  

When I do that net groupmap list shows:

Domain Admins ([LOCALSID]-512) -> domadm

But, when assigning privs by a member of the unix group domadm via:

   net -Unik rpc rights grant joe SePrintOperatorPrivilege

it ends up checking Domain Admins with the [DOMAINSID]-512.

In _lsa_add_acct_rights() if you're not root it calls  
nt_token_check_domain_rid(), which ends up using the domain_sid.   
But, since my account sid includes [LOCALSID]-512 and not  
[DOMAINSID]-512 I never get a good sid match and so get denied.

Certainly, adding my groupmap "Domain Admins" with sid  
[DOMAINSID]-512 is enough to get the net rpc rights grant working.

I don't know enough to stipulate that groupmap add type=d should use  
the DOMAINSID, but it seems that way.  Or, should _lsa_add_acct_rights 
() but updated to also check the [LOCALSID]-512 sid as well as the  
[DOMAINSID]-512 sid?


Nik Conwell     Boston University
nik at

More information about the samba-technical mailing list