[Samba] uncovering groupmap problems

John H Terpstra jht at samba.org
Mon Dec 22 21:56:20 GMT 2003 

Stephane,

Please file a bug report with clear details of how to reproduce the fault.
Thanks.

	https://bugzilla.samba.org

- John T.

On Mon, 22 Dec 2003, [UTF-8] Stéphane Purnelle wrote:

> John H Terpstra a écrit :
>
> >On Mon, 22 Dec 2003, [UTF-8] Stéphane Purnelle wrote:
> >
> >
> >
> >>Why you use net groupmap modify, if the first groupmapping of root
> >>group, I must use
> >>$ net groupmap add sid=S-1-5-21-3186189368-1246494298-1334198317-512
> >>ntgroup="Domain Users" unixgroup=root type=domain
> >>
> >>If it don't work, I think you can put a bug in bugzilla.
> >>
> >>
> >
> >Precisely what is the bug?
> >
> >Domain Users should have RID=513, not 512.
> >RID=512 is Domain Admins
> >
> >If you want to change the RID you will have to delete the group and re-add
> >it.
> >
> >Please help me to userstand:
> >	1. How was the NT Group created?
> >		- If LDAP backend then you created it manually
> >		- If tdbsam backend, it is auto-created
> >	2. How did it get to the setting you have now
> >
> >Using LDAP backend I just did the following:
> >
> >smbldap-groupadd.pl -g 560 -t domain -r 560 sammy
> >net groupmap list
> >
> >Domain Admins (S-1-5-21-3504140859-1010554828-2431957765-512) -> Domain
> >Admins
> >Domain Users (S-1-5-21-3504140859-1010554828-2431957765-513) -> Domain
> >Users
> >Domain Guests (S-1-5-21-3504140859-1010554828-2431957765-514) -> Domain
> >Guests
> >Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
> >Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
> >PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
> >sammy (S-1-5-21-3504140859-1010554828-2431957765-560) -> sammy
> >
> >
> >Using tdbsam backend I just did:
> >
> >groupadd sammy
> >net groupmap add ntgroup="Domain Sammy" unixgroup=sammy type=d rid=560
> >net groumap list
> >
> >System Operators (S-1-5-32-549) -> -1
> >Replicators (S-1-5-32-552) -> -1
> >Guests (S-1-5-32-546) -> -1
> >Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users
> >Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
> >Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
> >Domain Sammy (S-1-5-21-1593769616-160655940-3590153233-560) -> sammy
> >Power Users (S-1-5-32-547) -> -1
> >Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
> >Print Operators (S-1-5-32-550) -> -1
> >Administrators (S-1-5-32-544) -> -1
> >Account Operators (S-1-5-32-548) -> -1
> >Backup Operators (S-1-5-32-551) -> -1
> >Users (S-1-5-32-545) -> -1
> >
> >
> >Think about this. If you have entries for a group that has the wrong RID,
> >there are lots of mapping entries for this in:
> >	group_mapping.tdb (if not using LDAP)
> >	winbindd_cachine.tdb
> >	winbindd_idmap.tdb
> >	LDAP
> >
> >To intelligently change a RID, Samba will need to search for all
> >occurances of the RID and change it. There is a large element of risk of
> >loss o data consistency while that change is happening. The safest
> >strategy is to delete a bad entry and then re-add it correctly.
> >
> >Now check this (with tdbsam):
> >
> >net groupmap delete ntgroup="Domain Users"
> >net groupmap list
> >System Operators (S-1-5-32-549) -> -1
> >Replicators (S-1-5-32-552) -> -1
> >Guests (S-1-5-32-546) -> -1
> >Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> -1
> >Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root
> >Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
> >Power Users (S-1-5-32-547) -> -1
> >Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master
> >Print Operators (S-1-5-32-550) -> -1
> >Administrators (S-1-5-32-544) -> -1
> >Domain Users (S-1-5-21-1593769616-160655940-3590153233-1201) -> users
> >Account Operators (S-1-5-32-548) -> -1
> >Backup Operators (S-1-5-32-551) -> -1
> >Users (S-1-5-32-545) -> -1
> >
> >
> >Notice that Domain Uses is automatically added by the tdbsam backend!
> >
> >That is why you can not remap the RID for the well-known groups.
> >
> >
> >
> >With an LDAP backend:
> >
> >net groupmap delete ntgroup="Domain Users"
> >net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513
> >
> >This works fine. The LDAP backend does NOT auto-add the well known groups.
> >But you cannot change the RID once it is added. You can delete a
> >group mapping and then re-add it.
> >
> >
> >So precisely, what is  the bug? I have seen the head-banging over the
> >week-end and still do not understand what the problem is.
> >
> >- John T.
> >
> >
> Ok, but
>
> # net groupmap modify ntgroup="Domain Users" unixgroup=root
> net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion
> `((ber)->ber_opts.lbo_valid==0x2)' failed.
> Aborted
> [root at linserv2 migration]# net groupmap modify
> sid=S-1-5-21-3186189368-1246494298-1334198317-512 ntgroup="Domain Users"
> unixgroup=root type=domain
> net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion
> `((ber)->ber_opts.lbo_valid==0x2)' failed.
>
> Calling net groupmap modify, with no existing mapping is a user/administrator error
> Butn these messages not help the user.
>
>
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list