[Samba] net groupmap / domain admins problem - Amazon prize

John H Terpstra jht at samba.org
Thu Jan 8 04:41:58 GMT 2004

On Wed, 7 Jan 2004, Andrew Judge wrote:

> I think that most of my problems are somewhat resolved except for this last
> one.  I can not get domain admin rights to the ntadmins users.  I get the
> following output for groupmaps:
> [root at fire2 i386]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
> Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
> Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
> Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
> Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
> Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
> Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> Obviously there is a problem with the domain '*' SID because there are
> duplicates.  Any idea how to correct this problem and get the users logged
> in with admin rights.  I have RH EN v.3 and samba 3.0.0-14.3E from RH.  I
> can see the users from the samba server and the users can log in, but no
> rights.  Big problem.

Ok. Roll up your sleeves!

I am presuming that you are NOT using and LDAP backend, that you still are
using an smbpasswd backend datafile.

1. Stop Samba
2. Delete the group_mapping.tdb file.
3. Restart Samba
	- the default Domain Groups will automatically be created if you
	  are NOT using LDAP ldapsam.
4. Map your groups as follows:

net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

Add any Domain Groups you may want. Do tie them to existing (manually
created UNIX groups) eg:

groupadd engineers
net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d

groupadd ntadmins
net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d

PS: If you have a problem with these commands email me, I'll help you.

5. Add all users who should have Domain Admin rights to the UNIX root
group in /etc/group, like this:


6. Add all users who should have Workstation Admin rights (Power Users) to
the UNIX ntadmins group in /etc/group, like this:


7. Verify that the groups are correctly mapped:

net groupmap list.

8. Now: On every windows client machine add:

	a) Domain Admins to the Local Administrators Group
	b) Domain Power Users to the Local Power Users Group

> Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> cahnged the SID to the last PDC.  Anyway, how would I get the right SID?  I
> have NTUSER.DAT files that I can run profiles against to read them.  Would
> that help?

You can use the Samba-3.0.x tools 'profiles' to reset the SID in the

To obtain the domain SID just run:

	net getlocalsid

> First one that can point me in the right direction to get this resolved -
> I'll buy them a amazon gift cert for $50.  Beats going bald from pulling out
> my hair.

It's a deal man!

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list