[Samba] RE: Secondary Groups and Group Mapping

Tue Dec 16 16:06:07 GMT 2003

Okay, we have the "net groupmap" command running without errors. We had to add the unixgroup/gid to both the /etc/group file and samba's openldap before groupmap would work without errors. I suspect that we could remove the dependence on /etc/group by modifying nsswitch.conf to add ldap for group resolution [currently just "files winbind" for passwd and group]. We'll be looking at that today.

However, after I established the groupmap, it still doesn't work as I expected. Using the example from my earlier post, if I log into Solaris with user1 that has "LOTR+fairfolk" as his primary group in AD, I thought Samba would translate that to the unix group "elves". What we are seeing is that if I log into Unix as this user and create a file, the group for that file is LOTR+fairfolk. An "id -a" lists "LOTR+fairfolk" in his groups, but not "elves". Furthermore, if I create another file owned by "user2:elves", I expected user1 to be able to access this due to the mapping. He can't; again it appears that Unix only sees him as belonging to "LOTR+fairfolk". I've reread the documentation, and it appears my understanding of groupmap is correct. What am I missing here? What is groupmap supposed to do?

We've downloaded 3.0.1 with hopes it helps resolve these issues. We still have the above groupmap issues. We haven't tried the secondary group access yet.

john

 -----Original Message-----
From: 	Klinger, John (N-CSC)  
Sent:	Monday, December 15, 2003 4:59 PM
To:	'samba at lists.samba.org'
Subject:	Secondary Groups and Group Mapping

We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings.

The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch.

The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following:

  groupadd elves
  net groupmap add ntuser=LOTR+fairfolk username=elves

We always get the following error:

No rid or sid specified, choosing algorithmic mapping
adding entry for group LOTR+fairfolk failed!