[Samba] uncovering groupmap problems

Mon Dec 22 18:16:05 GMT 2003

On Mon, 22 Dec 2003, [UTF-8] Stéphane Purnelle wrote:

> Why you use net groupmap modify, if the first groupmapping of root
> group, I must use
> $ net groupmap add sid=S-1-5-21-3186189368-1246494298-1334198317-512
> ntgroup="Domain Users" unixgroup=root type=domain
>
> If it don't work, I think you can put a bug in bugzilla.

Precisely what is the bug?

Domain Users should have RID=513, not 512.
RID=512 is Domain Admins

If you want to change the RID you will have to delete the group and re-add
it.

Please help me to userstand:
	1. How was the NT Group created?
		- If LDAP backend then you created it manually
		- If tdbsam backend, it is auto-created
	2. How did it get to the setting you have now

Using LDAP backend I just did the following:

smbldap-groupadd.pl -g 560 -t domain -r 560 sammy
net groupmap list

Domain Admins (S-1-5-21-3504140859-1010554828-2431957765-512) -> Domain
Admins
Domain Users (S-1-5-21-3504140859-1010554828-2431957765-513) -> Domain
Users
Domain Guests (S-1-5-21-3504140859-1010554828-2431957765-514) -> Domain
Guests
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
sammy (S-1-5-21-3504140859-1010554828-2431957765-560) -> sammy

Using tdbsam backend I just did:

groupadd sammy
net groupmap add ntgroup="Domain Sammy" unixgroup=sammy type=d rid=560
net groumap list

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users
Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
Domain Sammy (S-1-5-21-1593769616-160655940-3590153233-560) -> sammy
Power Users (S-1-5-32-547) -> -1
Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Think about this. If you have entries for a group that has the wrong RID,
there are lots of mapping entries for this in:
	group_mapping.tdb (if not using LDAP)
	winbindd_cachine.tdb
	winbindd_idmap.tdb
	LDAP

To intelligently change a RID, Samba will need to search for all
occurances of the RID and change it. There is a large element of risk of
loss o data consistency while that change is happening. The safest
strategy is to delete a bad entry and then re-add it correctly.

Now check this (with tdbsam):

net groupmap delete ntgroup="Domain Users"
net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> -1
Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-1593769616-160655940-3590153233-1201) -> users
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Notice that Domain Uses is automatically added by the tdbsam backend!

That is why you can not remap the RID for the well-known groups.

With an LDAP backend:

net groupmap delete ntgroup="Domain Users"
net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513

This works fine. The LDAP backend does NOT auto-add the well known groups.
But you cannot change the RID once it is added. You can delete a
group mapping and then re-add it.

So precisely, what is  the bug? I have seen the head-banging over the
week-end and still do not understand what the problem is.

- John T.
-- 
John H Terpstra
Email: jht at samba.org