Inconsistency between groupmap "Domain Admins"
and _lsa_add_acct_rights() checking
Gerald (Jerry) Carter
jerry at samba.org
Wed May 2 13:19:42 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Nik Conwell wrote:
> (I guess this could be a HOWTO bug as well.)
> I'm part of an AD domain.
> To be considered an admin on the samba box, the howto
> net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
> When I do that net groupmap list shows:
> Domain Admins ([LOCALSID]-512) -> domadm
> But, when assigning privs by a member of the unix group domadm via:
> net -Unik rpc rights grant joe SePrintOperatorPrivilege
> it ends up checking Domain Admins with the [DOMAINSID]-512.
> In _lsa_add_acct_rights() if you're not root it calls
> nt_token_check_domain_rid(), which ends up using the domain_sid. But,
> since my account sid includes [LOCALSID]-512 and not [DOMAINSID]-512 I
> never get a good sid match and so get denied.
> Certainly, adding my groupmap "Domain Admins" with sid [DOMAINSID]-512
> is enough to get the net rpc rights grant working.
> I don't know enough to stipulate that groupmap add type=d should use the
> DOMAINSID, but it seems that way. Or, should _lsa_add_acct_rights() but
> updated to also check the [LOCALSID]-512 sid as well as the
> [DOMAINSID]-512 sid?
Specify the full sid instead of just the rid to "net groupmap add".
The HOWTO is for a Samba DC IIRC.
Hope this helps.
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical