[Samba] uncovering groupmap problems

Stéphane Purnelle stephane.purnelle at tiscali.be
Mon Dec 22 20:00:39 GMT 2003 

John H Terpstra a écrit :

>On Mon, 22 Dec 2003, [UTF-8] Stéphane Purnelle wrote:
>
>  
>
>>Why you use net groupmap modify, if the first groupmapping of root
>>group, I must use
>>$ net groupmap add sid=S-1-5-21-3186189368-1246494298-1334198317-512
>>ntgroup="Domain Users" unixgroup=root type=domain
>>
>>If it don't work, I think you can put a bug in bugzilla.
>>    
>>
>
>Precisely what is the bug?
>
>Domain Users should have RID=513, not 512.
>RID=512 is Domain Admins
>
>If you want to change the RID you will have to delete the group and re-add
>it.
>
>Please help me to userstand:
>	1. How was the NT Group created?
>		- If LDAP backend then you created it manually
>		- If tdbsam backend, it is auto-created
>	2. How did it get to the setting you have now
>
>Using LDAP backend I just did the following:
>
>smbldap-groupadd.pl -g 560 -t domain -r 560 sammy
>net groupmap list
>
>Domain Admins (S-1-5-21-3504140859-1010554828-2431957765-512) -> Domain
>Admins
>Domain Users (S-1-5-21-3504140859-1010554828-2431957765-513) -> Domain
>Users
>Domain Guests (S-1-5-21-3504140859-1010554828-2431957765-514) -> Domain
>Guests
>Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
>Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
>PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
>sammy (S-1-5-21-3504140859-1010554828-2431957765-560) -> sammy
>
>
>Using tdbsam backend I just did:
>
>groupadd sammy
>net groupmap add ntgroup="Domain Sammy" unixgroup=sammy type=d rid=560
>net groumap list
>
>System Operators (S-1-5-32-549) -> -1
>Replicators (S-1-5-32-552) -> -1
>Guests (S-1-5-32-546) -> -1
>Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users
>Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
>Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
>Domain Sammy (S-1-5-21-1593769616-160655940-3590153233-560) -> sammy
>Power Users (S-1-5-32-547) -> -1
>Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
>Print Operators (S-1-5-32-550) -> -1
>Administrators (S-1-5-32-544) -> -1
>Account Operators (S-1-5-32-548) -> -1
>Backup Operators (S-1-5-32-551) -> -1
>Users (S-1-5-32-545) -> -1
>
>
>Think about this. If you have entries for a group that has the wrong RID,
>there are lots of mapping entries for this in:
>	group_mapping.tdb (if not using LDAP)
>	winbindd_cachine.tdb
>	winbindd_idmap.tdb
>	LDAP
>
>To intelligently change a RID, Samba will need to search for all
>occurances of the RID and change it. There is a large element of risk of
>loss o data consistency while that change is happening. The safest
>strategy is to delete a bad entry and then re-add it correctly.
>
>Now check this (with tdbsam):
>
>net groupmap delete ntgroup="Domain Users"
>net groupmap list
>System Operators (S-1-5-32-549) -> -1
>Replicators (S-1-5-32-552) -> -1
>Guests (S-1-5-32-546) -> -1
>Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> -1
>Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
>Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
>Power Users (S-1-5-32-547) -> -1
>Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
>Print Operators (S-1-5-32-550) -> -1
>Administrators (S-1-5-32-544) -> -1
>Domain Users (S-1-5-21-1593769616-160655940-3590153233-1201) -> users
>Account Operators (S-1-5-32-548) -> -1
>Backup Operators (S-1-5-32-551) -> -1
>Users (S-1-5-32-545) -> -1
>
>
>Notice that Domain Uses is automatically added by the tdbsam backend!
>
>That is why you can not remap the RID for the well-known groups.
>
>
>
>With an LDAP backend:
>
>net groupmap delete ntgroup="Domain Users"
>net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513
>
>This works fine. The LDAP backend does NOT auto-add the well known groups.
>But you cannot change the RID once it is added. You can delete a
>group mapping and then re-add it.
>
>
>So precisely, what is  the bug? I have seen the head-banging over the
>week-end and still do not understand what the problem is.
>
>- John T.
>  
>
Ok, but

# net groupmap modify ntgroup="Domain Users" unixgroup=root
net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion
`((ber)->ber_opts.lbo_valid==0x2)' failed.
Aborted
[root at linserv2 migration]# net groupmap modify
sid=S-1-5-21-3186189368-1246494298-1334198317-512 ntgroup="Domain Users"
unixgroup=root type=domain
net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion
`((ber)->ber_opts.lbo_valid==0x2)' failed.

Calling net groupmap modify, with no existing mapping is a user/administrator error
Butn these messages not help the user.

More information about the samba mailing list