Can't add users to well known groups...code patch (quick hack/commented out problem code seems to fix)...
Linda Walsh
samba at tlinx.org
Fri Sep 9 21:04:58 MDT 2011
Cc: samba at lists.samba.org
Well, this code patch seems to fix the problem with my missing groups...
Seems like because they were declared as well known groups (Domain Admins,
Domain Users...etc.)
They weren't being listed...
Seems a bit odd for a PDC to not list well known groups... no?
It looks like the code was intended to prevent people from using
the BUILTIN groups -- which doesn't seem to make alot of sense
either.
Can someone clarify why we shouldn't be able to add/subtract from
well known or builtin groups?
MS publishes a list of well known groups that most domains would expect
to have,
but when I tried to add them to my domain, they all became unlistable
and unusable.
Color me confused?
-linda
Linda Walsh wrote:
> I created the well known group Domain Admins pointing to a local group,
> but I am not able to add users to the group -- it claims I can only
> add users to
> local or global groups...
>
> But I only see local, domain ,well-known, builtin.
>
> There are no global groups unless one would include all groups that are
> not local (i.e. domain, well-known, and builtin)....
>
> So why doesn't it want to let me add to my domain admins group when it is
> defined as a well known group (which it is, according to MS)...
>
--- net_sam.c 2011-08-03 11:24:05.000000000 -0700
+++ net_sam.c 2011-09-09 19:27:39.190245264 -0700
@@ -1208,7 +1208,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) || (grouptype ==
SID_NAME_WKN_GRP)) {
+ if ((grouptype == SID_NAME_ALIAS) ) {
if ((membertype != SID_NAME_USER) &&
(membertype != SID_NAME_DOM_GRP)) {
d_fprintf(stderr, _("%s is a local group, only
users "
@@ -1224,7 +1224,7 @@
"with %s\n"), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || grouptype ==
SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(&group, &grouprid);
@@ -1284,8 +1284,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_del_aliasmem(&group, &member);
if (!NT_STATUS_IS_OK(status)) {
@@ -1293,7 +1292,7 @@
"with %s\n"), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(&group, &grouprid);
@@ -1349,8 +1348,7 @@
return -1;
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
&num_members);
if (!NT_STATUS_IS_OK(status)) {
--- net_groupmap.c 2011-08-03 11:24:05.000000000 -0700
+++ net_groupmap.c 2011-09-09 19:30:32.840929705 -0700
@@ -444,12 +444,12 @@
return -1;
}
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("You can only change between domain and local "
"groups.\n"));
return -1;
- }
+ }*/
map.sid_name_use=sid_type;
@@ -630,13 +630,15 @@
/* Now we have a mapping entry, update that stuff */
if ( c->opt_localgroup || c->opt_domaingroup ) {
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*
+ * f (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("Can't change type of the BUILTIN "
"group %s\n"),
map.nt_name);
return -1;
}
+ */
}
if (c->opt_localgroup)
More information about the samba-technical
mailing list