[Samba] Re: 3.0 beta 3 - NT and Unix group mapping
Boogerman
boogerman at interar.com.ar
Thu Jul 31 22:25:44 GMT 2003
I found the solution. If anyone is interested, what I did is:
Create a Domain group in the SAMBA machine with:
net groupmap add sid={lastsid+1} ntgroup="Domain Power Users"
unixgroup=users type=domain
Then, as admin in the XP client, in "MMC/Local Users and Groups/Groups/Power
Users" I added "{MYDOMAIN}\Domain Power Users".
So this added the domain group Domain Power Users (wich was mapped to the
unix group users) to the local Power Users group.
I hope this helps someone out there...
Boogerman
----- Original Message -----
From: "Boogerman" <boogerman at interar.com.ar>
To: <samba at lists.samba.org>
Sent: Wednesday, July 30, 2003 10:35 PM
Subject: 3.0 beta 3 - NT and Unix group mapping
> Hello everyone!
>
> I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7), and made
a
> PDC configuration with Windows XP Pro clients. Everything works fine,
> however, I'm fine tuning the NT and Unix group mapping; in particular, I
> want to map the Unix group 'users' to the NT group 'Power Users'.
>
> I've tried:
> net groupmap modify ntgroup="Power Users" unixgroup=users
> with no success.
> If I do, however
> net groupmap modify ntgroup="Domain Admins" unixgroup=users
> users are granted admin privileges
>
> I've read the groupmapping chapter of the howto collection
>
(http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou
> pmapping) and still got no clue (If anyone can point me to a more detailed
> document by all means do so).
>
> Here's my `net groupmap list`:
>
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1
> Power Users (S-1-5-32-547) -> users
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> And my smb.conf:
>
> [global]
> netbios name = Natsumi
> server string = Linux Server
> workgroup = BoogerSoft
> passdb backend = smbpasswd
>
> hosts allow = 192.168.0. 127.0.0.1
>
> ;act as domain and master browser
> os level = 64
> preferred master = yes
> domain master = yes
> local master = yes
>
> security = user
>
> encrypt passwords = yes
>
> domain logons = yes
>
> ;if this causes problems change it to \\%N\profile\%U
> logon path = \\%N\%U\profile
> logon drive = H:
>
> ;for win9x clients
> ;logon home = \\%N\%U\profile
>
> ;logon script, relative to the [netlogon] share
> logon script = logon.cmd
>
> ;neither of these seem to work with 3.0
> ;client code page = 850
> ;character set = ISO8859-1
>
> [netlogon]
> comment = Network Logon Service
> path = /usr/local/samba/lib/netlogon
> read only = yes
> write list = ntadmin
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> create mask = 0600
> directory mask = 0700
>
> And I am getting this in log.smbd when I do the "Power User" thing:
> [2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710)
> _net_sam_logon: user BOOGERSOFT\boogerman has user sid
> S-1-5-21-1734957725-2317673715-2873464621-3000
> but group sid S-1-5-32-547.
> The conflicting domain portions are not supported for NETLOGON calls
>
> And also this:
> [2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362)
> get_domain_user_groups: primary gid of user [boogerman] is not a Domain
> group!
> get_domain_user_groups: You should fix it, NT doesn't like that
>
> (I don't fully understand the messages, so any explanations will be
> appreciated)
>
> Well, that's too much, probably I got everything missconfigured (hey,
after
> all, it's my first PDC with 3.0). I hope someone will be able to help me
> figure this one out...
>
More information about the samba
mailing list