[Samba] domain groups

John H Terpstra jht at samba.org
Mon Oct 20 16:53:48 GMT 2003

On Mon, 20 Oct 2003, Douglas Phillipson wrote:

> I have ACL's enabled and am getting a new error, in the Samba log (V
> 3.0.1Pre1, when attempting to set permissions on a file through Win2000:
>    get_domain_user_groups: primary gid of user [terry] is not a Domain
> group !
>    get_domain_user_groups: You should fix it, NT doesn't like that

The primary UNIX group for each user must map to a Domain group. That's
all it means.

> Do I need to create a group on the windows(2000) side?  The entries in
> the domaingroup.map don't do this?  Please be verbose in answering.  A
> couple of good example wouldn't hurt also.
> I have a domain group map:
> domain group map = /etc/samba/domaingroup.map
> Contents of this map are:
> domuser = "Domain User"
> domadmin = "Domain Admin"

This is NOT supported in Samba-3. Instead you need to use the 'net
groupmap' facility to map UNIX groups to NT Groups. This is well
documented in chapter 12 of the Samba-HOWTO-Collection.pdf. I presume you
did read it?

To map the UNIX domuser group to Domain Users:

	net groupmap modify ntgroup="Domain Users" unixgroup=domusers

> I have terry in /etc/group and passwd as such:
> /etc/passwd:
> terry:x:505:10000::/home/terry:/bin/bash
> /etc/group:
> domuser:x:10000:terry, phillipd

These entries are Ok.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list