[Samba] going from bad to worse

Tue Aug 17 12:57:41 GMT 2004

Hi,
try it with the command:

net groupmap delete sid=S-1-5-21-2643210455-489482773-813538922-512

for the first bad Domain admin group. using the sid should do the trick.
delete all mappings for Domain-groups not matching your samba-group,
then use the

net groupmap modify

command to update the remaining group-mappings so they go to the correct
unix-groups.

be aware that "net delete groupmap" is not equal to
"net groupmap delete"...
Christoph

Greg Andrews schrieb:
> Howdy People,
> 
> Since my last posting things have definitely taken a turn for the worse
> 
> The XP clients cannot now even find the domain controller !!
> 
> my smb.conf file is
> 
> [global]
> log file = /var/log/samba/log.%m
> load printers = no
> name resolve order = wins bcast lmhosts host
> admin users = @admingrp
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> obey pam restrictions = Yes
> lm announce = True
> domain master = True
> username map = /etc/samba/user.map
> encrypt passwords = yes
> passwd program = /usr/bin/passwd %u
> wins support = true
> dns proxy = No
> netbios name = SAMBASERVER
> server string = sambaserver
> logon script = logon.bat
> unix password sync = yes
> workgroup = PINARC
> os level = 255
> security = user
> preferred master = True
> max log size = 50
> domain logons = Yes
> logon drive = h:
> logon home =\\%N\%U
> logon path = \\%N\profiles\%U
> add user script = /usr/sbin/useradd -d /dev/null -g 400 -s /bin/false -M /%u
> 
> [Profiles]
> comment = Profiles Directory
> path = /SYS/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> profile acls = yes
> writeable = yes
> 
> [netlogon]
> comment = For Administration Use
> path = /etc/samba/netlogon
> valid users = %U
> write list = @admingrp
> read only = no
> create mask = 0644
> 
> 
> [homes]
> comment = %U home directory
> path = /SYS/home/%U
> valid users = %S
> read only = No
> create mask = 0600
> browseable = No
> directory mask =0700
> locking = no
> 
> [open]
> comment = Pinarc Readable Share
> path = /SYS/world/open
> read only = No
> create mask = 0664
> directory mask = 0775
> valid users = @mars
> 
> 
> The logon script is being executed and the profiles are being written and
> updated.
> 
> How do you fix/delete/change the net groupmap list  output.
> I think this may the root cause of my problems , but I just dont know the
> syntax to fix/delete/change it.
> I have searched google  and the samba manual and they seem to tell you
> everything except how to delete/fix etc.
> 
> I have tried  net delete groupmap ntgroup="Domain Admins" and whilst it
> says it has deleted this group in actually has done nothing.
> 
> Below is the output of net groupmap list and net getlocalsid
> 
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-2643210455-489482773-813538922-512) ->admingrp
> Domain Users (S-1-5-21-3314183342-3289294326-2282427927-513) -> mars
> Replicators (S-1-5-32-552) -> -1
> interchange (S-1-5-21-3314183342-3289294326-2282427927-4001) -> inter
> Guests (S-1-5-32-546) -> -1
> lukeman (S-1-5-21-3314183342-3289294326-2282427927-2803) -> madint
> Domain Admins (S-1-5-21-218202318-3803304894-1597324041-512) -> -1
> Domain Users (S-1-5-21-2643210455-489482773-813538922-513) -> -1
> Domain Guests (S-1-5-21-218202318-3803304894-1597324041-514) -> nogroup
> Power Users (S-1-5-32-547) -> -1
> Domain Guests (S-1-5-21-2643210455-489482773-813538922-514) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Guests (S-1-5-21-3314183342-3289294326-2282427927-514) -> -1
> Domain Admins (S-1-5-21-3314183342-3289294326-2282427927-512) -> -1
> AccountOperators (S-1-5-32-548) -> -1
> mad (S-1-5-21-3314183342-3289294326-2282427927-2801) -> mad
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> 
> SID for domain SAMBASERVER is: S-1-5-21-3314183342-3289294326-2282427927
> 
> 
> 
> 
> Please help. Very desperate.
> 
> 