[Samba] Group management

Craig White craigwhite at azapple.com
Thu Aug 12 16:08:46 GMT 2004 

On Thu, 2004-08-12 at 08:29, David "3oz" Sonenberg wrote:
> I'm trying to add a user to the domain admins group in
> vain.  I've tried using the windows usrgrp tool.  I've
> tried doing 'pdbedit -u username -G
> S-1-5-21-2351621536-730267382-1598341932-512'  I've
> tried 'net groupmember ADD 'Domain Admins' username. 
> The user I'm trying to add is already in the unixgroup
> that's mapped to the NTgroup.  Does any one know the
> proper way to do this?  Here's my groupmappings:
> 
> [root at samba root]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users
> (S-1-5-21-2915653246-892158047-278579456-513) -> users
> Domain Users
> (S-1-5-21-2351621536-730267382-1598341932-513) -> -1
> Domain Admins
> (S-1-5-21-2351621536-730267382-1598341932-512) ->
> ntadmins
> Domain Guests
> (S-1-5-21-2351621536-730267382-1598341932-514) ->
> nobody
> Domain Guests
> (S-1-5-21-2915653246-892158047-278579456-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Domain Users
> (S-1-5-21-152711010-200846165-2210790283-513) -> users
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> X3D Employees
> (S-1-5-21-2915653246-892158047-278579456-1112) ->
> david$
> Domain Guests
> (S-1-5-21-152711010-200846165-2210790283-514) ->
> nobody
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> Domain Admins
> (S-1-5-21-2915653246-892158047-278579456-512) -> -1
----
you need to clean up your groupmaps first
1 - from cli 
    net getlocalsid

2 - your local SID should match the SID's below (ignoring the RID)
    evidently it is either:
    S-1-5-21-2915653246-892158047-278579456
    or
    S-1-5-21-2351621536-730267382-1598341932
    or
    S-1-5-21-152711010-200846165-2210790283

3 - duplicates/unmapped entries/non matching SID's below

>System Operators (S-1-5-32-549) -> -1
delete or fix
> Replicators (S-1-5-32-552) -> -1
delete or fix
> Guests (S-1-5-32-546) -> -1
delete or fix
> Domain Users (S-1-5-21-2915653246-892158047-278579456-513) -> users
ok - SID?
> Domain Users (S-1-5-21-2351621536-730267382-1598341932-513) -> -1
delete
> Domain Admins (S-1-5-21-2351621536-730267382-1598341932-512) -> ntadmins
ok - SID?
> Domain Guests (S-1-5-21-2351621536-730267382-1598341932-514) -> nobody
ok - SID?
> Domain Guests (S-1-5-21-2915653246-892158047-278579456-514) -> -1
delete
> Power Users (S-1-5-32-547) -> -1
delete or fix
> Domain Users (S-1-5-21-152711010-200846165-2210790283-513) -> users
2nd entry - delete
> Print Operators (S-1-5-32-550) -> -1
delete or fix
> Administrators (S-1-5-32-544) -> -1
delete or fix
> Account Operators (S-1-5-32-548) -> -1
delete or fix
> X3D Employees (S-1-5-21-2915653246-892158047-278579456-1112) -> david$
doesn't make any sense - david$ is a machine account, not a unix group
> Domain Guests (S-1-5-21-152711010-200846165-2210790283-514) -> nobody
2nd entry - delete
> Backup Operators (S-1-5-32-551) -> -1
delete or fix
> Users (S-1-5-32-545) -> -1
delete or fix
> Domain Admins (S-1-5-21-2915653246-892158047-278579456-512) -> -1
delete

Craig

More information about the samba mailing list