[Samba] 3.0 beta 3 - NT and Unix group mapping

Boogerman boogerman at interar.com.ar
Thu Jul 31 01:35:44 GMT 2003 

Hello everyone!

I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7), and made a
PDC configuration with Windows XP Pro clients. Everything works fine,
however, I'm fine tuning the NT and Unix group mapping; in particular, I
want to map the Unix group 'users' to the NT group 'Power Users'.

I've tried:
net groupmap modify ntgroup="Power Users" unixgroup=users
with no success.
If I do, however
net groupmap modify ntgroup="Domain Admins" unixgroup=users
users are granted admin privileges

I've read the groupmapping chapter of the howto collection
(http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou
pmapping) and still got no clue (If anyone can point me to a more detailed
document by all means do so).

Here's my `net groupmap list`:

System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1
Power Users (S-1-5-32-547) -> users
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

And my smb.conf:

[global]
        netbios name = Natsumi
        server string = Linux Server
        workgroup = BoogerSoft
        passdb backend = smbpasswd

        hosts allow = 192.168.0. 127.0.0.1

        ;act as domain and master browser
        os level = 64
        preferred master = yes
        domain master = yes
        local master = yes

        security = user

        encrypt passwords = yes

        domain logons = yes

        ;if this causes problems change it to \\%N\profile\%U
        logon path = \\%N\%U\profile
        logon drive = H:

        ;for win9x clients
        ;logon home = \\%N\%U\profile

        ;logon script, relative to the [netlogon] share
        logon script = logon.cmd

        ;neither of these seem to work with 3.0
        ;client code page = 850
        ;character set = ISO8859-1

[netlogon]
        comment = Network Logon Service
        path = /usr/local/samba/lib/netlogon
        read only = yes
        write list = ntadmin

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        create mask = 0600
        directory mask = 0700

And I am getting this in log.smbd when I do the "Power User" thing:
[2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710)
  _net_sam_logon: user BOOGERSOFT\boogerman has user sid
S-1-5-21-1734957725-2317673715-2873464621-3000
   but group sid S-1-5-32-547.
  The conflicting domain portions are not supported for NETLOGON calls

And also this:
[2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362)
  get_domain_user_groups: primary gid of user [boogerman] is not a Domain
group!
  get_domain_user_groups: You should fix it, NT doesn't like that

(I don't fully understand the messages, so any explanations will be
appreciated)

Well, that's too much, probably I got everything missconfigured (hey, after
all, it's my first PDC with 3.0). I hope someone will be able to help me
figure this one out...

More information about the samba mailing list