Inconsistency between groupmap "Domain Admins" and _lsa_add_acct_rights() checking

Gerald (Jerry) Carter jerry at
Wed May 2 13:19:42 GMT 2007

Hash: SHA1

Nik Conwell wrote:
> (I guess this could be a HOWTO bug as well.)
> I'm part of an AD domain.
> To be considered an admin on the samba box, the howto
> says:
>   net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
> When I do that net groupmap list shows:
> Domain Admins ([LOCALSID]-512) -> domadm
> But, when assigning privs by a member of the unix group domadm via:
>   net -Unik rpc rights grant joe SePrintOperatorPrivilege
> it ends up checking Domain Admins with the [DOMAINSID]-512.
> In _lsa_add_acct_rights() if you're not root it calls
> nt_token_check_domain_rid(), which ends up using the domain_sid.  But,
> since my account sid includes [LOCALSID]-512 and not [DOMAINSID]-512 I
> never get a good sid match and so get denied.
> Certainly, adding my groupmap "Domain Admins" with sid [DOMAINSID]-512
> is enough to get the net rpc rights grant working.
> I don't know enough to stipulate that groupmap add type=d should use the
> DOMAINSID, but it seems that way.  Or, should _lsa_add_acct_rights() but
> updated to also check the [LOCALSID]-512 sid as well as the
> [DOMAINSID]-512 sid?

Specify the full sid instead of just the rid to "net groupmap add".
The HOWTO is for a Samba DC IIRC.

Hope this helps.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list