[Samba] group mappings pitfalls in samba 3

Andrew Gaffney agaffney at technaut.darktalker.net
Tue Dec 9 16:15:49 GMT 2003

I have recently run across this problem and would like to warn people about it. I had an 
already established domain running under Samba 2.2.8. I then upgraded to 3.0. I removed 
the 'domain admin users = root' line from my smb.conf because certain tools complained 
about it being there. After the upgrade, I followed the Samba 3 HOWTO docs on samba.org. I 
created my domadm, domguests, and domusers groups. I used the command 'net groupmap add 
ntgroup="Domain Admins" UNIXgroup=domadm' to map the groups together. This should have had 
the same effect as having the 'domain admin users = root' line in 2.2.8, but whenever I 
would logon to any computer in the domain with the user 'root', the user would be a 
regular restricted user. I got output like this from 'net groupmap list':

System Operators (S-1-5-32-549) -> -1
Dispatch (S-1-5-21-124999916-2847287174-2328787173-1831) -> dispatch
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-124999916-2847287174-2328787173-1833) -> domusers
Domain Admins (S-1-5-21-124999916-2847287174-2328787173-1825) -> domadm
Domain Guests (S-1-5-21-124999916-2847287174-2328787173-1835) -> domguests
Mechanics (S-1-5-21-124999916-2847287174-2328787173-1827) -> mech
Instructors (S-1-5-21-124999916-2847287174-2328787173-1837) -> instructors
Accounting (S-1-5-21-124999916-2847287174-2328787173-1829) -> accounting
Domain Admins (S-1-5-21-124999916-2847287174-2328787173-512) -> -1
Domain Guests (S-1-5-21-124999916-2847287174-2328787173-514) -> -1
Domain Users (S-1-5-21-124999916-2847287174-2328787173-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Apparently, the default groups already existed, but were not used in the mapping. Instead, 
new groups with the same name (but not the same GID) were created and mapped. So, my user 
was in the Domain Admins group but not THE Domain Admins group. I'm not quite sure if this 
is a flaw in the HOWTO or if this only happens when upgrading from 2.2.x. I was able to 
fix this problem by deleting the group mappings and remapping with 'net groupmap modify 
ntgroup="Domain Admins" UNIXgroup=domadm'. I just made these changes, but I am not on site 
to test if they worked, but I have a hunch that they did.

Andrew Gaffney

More information about the samba mailing list