[Samba] Re: 3.0 beta 3 - NT and Unix group mapping

Boogerman boogerman at interar.com.ar
Thu Jul 31 22:25:44 GMT 2003


I found the solution. If anyone is interested, what I did is:

Create a Domain group in the SAMBA machine with:
net groupmap add sid={lastsid+1} ntgroup="Domain Power Users"
unixgroup=users type=domain

Then, as admin in the XP client, in "MMC/Local Users and Groups/Groups/Power
Users" I added "{MYDOMAIN}\Domain Power Users".

So this added the domain group Domain Power Users (wich was mapped to the
unix group users) to the local Power Users group.

I hope this helps someone out there...

Boogerman

----- Original Message -----
From: "Boogerman" <boogerman at interar.com.ar>
To: <samba at lists.samba.org>
Sent: Wednesday, July 30, 2003 10:35 PM
Subject: 3.0 beta 3 - NT and Unix group mapping


> Hello everyone!
>
> I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7), and made
a
> PDC configuration with Windows XP Pro clients. Everything works fine,
> however, I'm fine tuning the NT and Unix group mapping; in particular, I
> want to map the Unix group 'users' to the NT group 'Power Users'.
>
> I've tried:
> net groupmap modify ntgroup="Power Users" unixgroup=users
> with no success.
> If I do, however
> net groupmap modify ntgroup="Domain Admins" unixgroup=users
> users are granted admin privileges
>
> I've read the groupmapping chapter of the howto collection
>
(http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou
> pmapping) and still got no clue (If anyone can point me to a more detailed
> document by all means do so).
>
> Here's my `net groupmap list`:
>
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1
> Power Users (S-1-5-32-547) -> users
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> And my smb.conf:
>
> [global]
>         netbios name = Natsumi
>         server string = Linux Server
>         workgroup = BoogerSoft
>         passdb backend = smbpasswd
>
>         hosts allow = 192.168.0. 127.0.0.1
>
>         ;act as domain and master browser
>         os level = 64
>         preferred master = yes
>         domain master = yes
>         local master = yes
>
>         security = user
>
>         encrypt passwords = yes
>
>         domain logons = yes
>
>         ;if this causes problems change it to \\%N\profile\%U
>         logon path = \\%N\%U\profile
>         logon drive = H:
>
>         ;for win9x clients
>         ;logon home = \\%N\%U\profile
>
>         ;logon script, relative to the [netlogon] share
>         logon script = logon.cmd
>
>         ;neither of these seem to work with 3.0
>         ;client code page = 850
>         ;character set = ISO8859-1
>
> [netlogon]
>         comment = Network Logon Service
>         path = /usr/local/samba/lib/netlogon
>         read only = yes
>         write list = ntadmin
>
> [homes]
>         comment = Home Directories
>         browseable = no
>         writable = yes
>         create mask = 0600
>         directory mask = 0700
>
> And I am getting this in log.smbd when I do the "Power User" thing:
> [2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710)
>   _net_sam_logon: user BOOGERSOFT\boogerman has user sid
> S-1-5-21-1734957725-2317673715-2873464621-3000
>    but group sid S-1-5-32-547.
>   The conflicting domain portions are not supported for NETLOGON calls
>
> And also this:
> [2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362)
>   get_domain_user_groups: primary gid of user [boogerman] is not a Domain
> group!
>   get_domain_user_groups: You should fix it, NT doesn't like that
>
> (I don't fully understand the messages, so any explanations will be
> appreciated)
>
> Well, that's too much, probably I got everything missconfigured (hey,
after
> all, it's my first PDC with 3.0). I hope someone will be able to help me
> figure this one out...
>




More information about the samba mailing list