[Samba] Re: GroupMap Issues

[Mark]

"Craig White" <craigwhite at azapple.com> wrote in message
news:1075437581.399.17.camel at lin-workstation.azapple.com...
> On Thu, 2004-01-29 at 19:33, Jason Gray wrote:
> > I have been trying to figure out what this error is:
> >
> > Jan 29 18:23:07 dc2 smbd[20729]: [2004/01/29 18:23:07, 0]
> > rpc_server/srv_util.c:get_domain_user_groups(371)
> > Jan 29 18:23:07 dc2 smbd[20729]:   get_domain_user_groups: primary gid
of
> > user [barbara] is not a Domain group !
> > Jan 29 18:23:07 dc2 smbd[20729]:   get_domain_user_groups: You should
fix
> > it, NT doesn't like that
> > Jan 29 18:23:08 dc2 smbd[20729]: [2004/01/29 18:23:08, 0]
> > rpc_server/srv_util.c:get_alias_user_groups(219)
> > Jan 29 18:23:08 dc2 smbd[20729]:   get_alias_user_groups: gid of user
> > barbara doesn't exist. Check your /etc/passwd and /etc/group files
> >
> > I thought I fixed the error but it keeps coming back.  My only concern
is
> > that it is slowing network access down.  Is this an error I should be
> > worried about?  I'm using LDAP as my backend so why Samba is checking
the
> > /etc/passwd and /etc/group files is strange.  I have the nsswitch setup
to
> > check "files ldap winbind".
> >
> > Is this error due to the fact that Samba checks the files first, can't
kind
> > the users, then goes onto ldap?
> >
> > It's kind of annoying cuz I don't know if the error is a problem or not.
> ---
> most errors should be considered problems
>
> gid of user barbara doesn't exist - primary gid of user barbara not a
> Domain group ! NT doesn't like that
>
> You are gonna need to fix these things...
> sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-513
>
> substitute your sid for this value - the end -513 stands for the
> 'built-in' "Domain Users" group, a very good idea for most users on the
> network (obvious exceptions are unprivileged users)
>
> If you actually understand LDAP and can manipulate the information, a
> group would look like this...
> dn: cn=Domain Users,ou=Groups,o=Mullen,c=US
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Domain Users
> gidNumber: 1008
> sambaSID: S-1-5-21-1292501092-333717336-619646970-513
> sambaGroupType: 2
> displayName: Domain Users
> description: All domain users
> creatorsName: cn=root,o=Mullen,c=US
> createTimestamp: 20040121055900Z
> memberUid: root
> memberUid: artstation
> memberUid: Administrator
>
> and so on with many members...
>
> any posix group can be a sambaDomainGroup - the requisite items are:
> objectclass: sambaGroupMapping
> cn:
> displayName:
> gidNumber:
> sambaSID: #which can't belong to anything else, best to number the last
> extension over 1000
> sambaGroupType: #2 for Domain group - 5 for local group
>
> if there is no group mapping for a particular sambaSID, then you could
> use the net groupmap add command to create these values.
>
> if there is a group mapping for a particular sambaSID, then you can use
> the net groupmap modify command but I have to tell you, I find it
> infinitely easier and more direct to change these either directly
> through ldif or through phpldapadmin.
>
> YMMV
>
> Craig

I see these errors too, but I am still using the smbpasswd back end.  What
is samba using as the primary group?  Is it the unix primary group?  If so,
should I modify the users' unix accounts to all be in the same primary unix
group and then map that group to "Domain Users"?  Since it is a redhat
system, the users all have primary unix groups that are the same as their
usernames, but I could change that.
Mark