[Samba] Re: domain admin issue

Sten Sletbak Sten.Sletbak at adm.hio.no
Tue Aug 3 10:07:42 GMT 2004 

In article <016101c4789e$f6019040$0b05a8c0 at trey>, Trey Nolen wrote:
>> Have you tried:
>> 
>> net getlocalsid
>> 
>> SID for domain DOMAIN is: 
>> S-1-5-21-3876029557-4061927837-2224609541, ie. the SIDs should match.
>> 
>> If they don't:
>> 
>> 1. Stop samba
>> 2. Delete "group_mapping.tdb"
>> 3. Start samba
>> 4. net groupmap modify ntgroup="Domain Admins" unixgroup=domadm etc.
>> 
>> This should make a fresh group_mapping.tdb with correct SIDs.
>> 
> 
> 
> Thanks for the reply.  Unfortunately (I guess), they do already match:
> server:~# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> domadm
> Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm
> Account Operators (S-1-5-32-548) -> -1
> Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> 
> server:~# net getlocalsid
> SID for domain SERVER is: S-1-5-21-3876029557-4061927837-2224609541
> 
> 
> It seems like this *SHOULD* be working. Could this be a bug with this
> version?  I'll be glad to check anything else if there are other
> suggestions...
>


http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1bKKG-3JE-47%40gated-at.bofh.it&rnum=1&prev=/groups%3Fq%3Dsamba%2Bdomain%2Badmins%2Bproblem%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch

Bottom line:

Stop samba, delete group_mapping.tdb *and* secrets.tdb, start samba.

Make sure you have a backup of secrets.tdb, at least on production servers.
The clients probably have to rejoin the domain after deleting secrets.tdb.
It's also possible that the tdb-files are in different directories if you are trying
out different versions/distributions of samba. XP-clients also cache the ten latest logins
by default to add to the confusion...
Other than that I have never had problems with the "Domain Admins"-stuff working on the client with any samba 3.0.x.

I have, however, seen very strange behavior on mapped shares after samba 3.0.2 when login on with a "Domain Admins" user
on XP. I can map the share, but get "access denied" errors when trying to browse or doing "h:" on the command line. Removing the
user from the "domadm" group solves this.


Latest setup on the test server:

Compiled and installed the samba-latest.tar.gz (samba-2.0.5);

#configure, make , make install

smb.conf

[global]
        workgroup = JDHTEST
        log file = /var/log/samba/%m.log
        os level = 100
        preferred master = True
        dns proxy = No
        wins proxy = No
        wins support = No
        wins server = xxx.xxx.xxx.xxx 
        socket options = TCP_NODELAY
        passdb backend = smbpasswd
        domain master = Yes
        domain logons = Yes
[homes]
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No




#/usr/local/samba/bin/net groupmap list

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3103833849-850975221-657558829-512) -> domadm
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-3103833849-850975221-657558829-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Guests (S-1-5-21-3103833849-850975221-657558829-514) -> -1
Users (S-1-5-32-545) -> -1

Sten Sletbak

More information about the samba mailing list