A potential issue to be aware of in Likewise-Samba integration projects

Richard Sharpe realrichardsharpe at gmail.com
Thu Oct 13 21:43:14 MDT 2011 

On Wed, Oct 12, 2011 at 8:06 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
>
> I have recently come across a problem relating to projects that run
> Samba for file and print services and replace Winbind with Likewise
> Open or Likewise Enterprise.
>
> Likewise has a Samba integration command that allows their
> authentication piece to be used instead of Winbindd.
>
> It seems, however, and I am waiting on confirmation from someone in
> Likewise, that when you join a domain using the Likewise
> domainjoin-cli, they do not add entries to the group map database for
> BUILTIN\Administrators and BUILTIN\Users. This has consequences when
> certain applications place SDs on directories when they use those
> BUILTIN groups and expect things to work.
>
> However, because those groups/aliases and their contents do not exist,
> certain file accesses (eg, creation) fails.
>
> If it is indeed true that Likewise has that behavior, there is a work around.
>
> Use the Likewise lsa tool to extract the SIDs of the relevant domain
> groups after you have joined an AD domain and add them to the group
> mapping file manually before you start smbd.
>
> I cannot currently provide the commands I used, but should be able to
> do so in a couple of days.

Here are the commands to effect the work around:

net groupmap add sid=S-1-5-32-544 unixgroup=1544
ntgroup=BUILTIN\\Administrators type = local

net groupmap addmem S-1-5-32-544 `/opt/likewise/bin/lw-lsa
find-objects DOMAIN\\\\Domain^Admins | grep "Group object" | cut -f2
-d\( | cut -d\) -f1`

Note that unixgroup=1544 is probably a problem as well, since it is
possible that you have used such a GID when you install Likewise, so
you really should use the find-objects command to lw-lsa to query the
group number for BUILTIN\Administrators as well.

Also, you should do the same as the above for BUILTIN\Users and add
the SID for DOMAIN\Domain Users to that group as well.


-- 
Regards,
Richard Sharpe

More information about the samba-technical mailing list