WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize

Hansjoerg Maurer Hansjoerg.Maurer at dlr.de
Thu Jan 8 07:47:32 GMT 2004


i have a question related to the groupmapping with ldapsam as backend.
You discribed, that groupentries have to be in /etc/group with tdbsam as 

I recognized, that samba 3,0.1 with ldapsam does not recognize secondary 
groups in ldap.
(e.g for accessing a share)

The problem is described by  kent at wareham.k12.ma.us to (see his email 

Do secondary groups have to be in /etc/groups in order to be recognized 
by samba even with ldapsam?

Thank you very much


I found an interesting thing that I don't know if it is a bug, by design
or I need to be doing something that I'm not but here goes.
My system
RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
(3) BDC with LDAP slave backend. All are Samba 3.0.
I had a probelem with secondary, tertiary etc groups that people belong
to and Samba recognizing these groups if they were stored in LDAP. The
primary group was no problem. When I created shares but used
"@groupname"  for valid users or write list, Samba would fail to get
that info from LDAP. They needed to be in /etc/group to work. As soon as
I added users in secondary groups to /etc/group users were recognized
and rights were assigned.
As a side note each line of /etc/group is limited to 1024 bytes, so
there is a limit on how many users you can add to a group using
/etc/group. If you exceed that when the system scans the /etc/group
file, it will fail at the line >1024 bytes and any groups below will
fail to be recognized. I believe that this is a bug. If you do "ls" on a
directory or "id <username>" where one of the entries in your /etc/group
has exceeded the limit, the groups will show as numbers and not a group

Can I use pam_winbindd to extract group membership from LDAP at this

time for secondary, tertiary etc groups?

John H Terpstra wrote:

>On Wed, 7 Jan 2004, Andrew Judge wrote:
>>I think that most of my problems are somewhat resolved except for this last
>>one.  I can not get domain admin rights to the ntadmins users.  I get the
>>following output for groupmaps:
>>[root at fire2 i386]# net groupmap list
>>System Operators (S-1-5-32-549) -> -1
>>Replicators (S-1-5-32-552) -> -1
>>Guests (S-1-5-32-546) -> -1
>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
>>Power Users (S-1-5-32-547) -> -1
>>Print Operators (S-1-5-32-550) -> -1
>>Administrators (S-1-5-32-544) -> -1
>>Account Operators (S-1-5-32-548) -> -1
>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
>>Backup Operators (S-1-5-32-551) -> -1
>>Users (S-1-5-32-545) -> -1
>>Obviously there is a problem with the domain '*' SID because there are
>>duplicates.  Any idea how to correct this problem and get the users logged
>>in with admin rights.  I have RH EN v.3 and samba 3.0.0-14.3E from RH.  I
>>can see the users from the samba server and the users can log in, but no
>>rights.  Big problem.
>Ok. Roll up your sleeves!
>I am presuming that you are NOT using and LDAP backend, that you still are
>using an smbpasswd backend datafile.
>1. Stop Samba
>2. Delete the group_mapping.tdb file.
>3. Restart Samba
>	- the default Domain Groups will automatically be created if you
>	  are NOT using LDAP ldapsam.
>4. Map your groups as follows:
>net groupmap modify ntgroup="Domain Users" unixgroup=users
>net groupmap modify ntgroup="Domain Admins" unixgroup=root
>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>Add any Domain Groups you may want. Do tie them to existing (manually
>created UNIX groups) eg:
>groupadd engineers
>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
>groupadd ntadmins
>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
>PS: If you have a problem with these commands email me, I'll help you.
>5. Add all users who should have Domain Admin rights to the UNIX root
>group in /etc/group, like this:
>6. Add all users who should have Workstation Admin rights (Power Users) to
>the UNIX ntadmins group in /etc/group, like this:
>7. Verify that the groups are correctly mapped:
>net groupmap list.
>8. Now: On every windows client machine add:
>	a) Domain Admins to the Local Administrators Group
>	b) Domain Power Users to the Local Power Users Group
>>Now... I migrated from 2.2.3a to the above and I have all the tdb and I
>>cahnged the SID to the last PDC.  Anyway, how would I get the right SID?  I
>>have NTUSER.DAT files that I can run profiles against to read them.  Would
>>that help?
>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
>NTUSER.DAT files.
>To obtain the domain SID just run:
>	net getlocalsid
>>First one that can point me in the right direction to get this resolved -
>>I'll buy them a amazon gift cert for $50.  Beats going bald from pulling out
>>my hair.
>It's a deal man!
>- John T.


Dr.  Hansjoerg Maurer           | LAN- & System-Manager
Deutsches Zentrum               | DLR Oberpfaffenhofen
  f. Luft- und Raumfahrt e.V.   |
Institut f. Robotik             |
Postfach 1116                   | Muenchner Strasse 20
82230 Wessling                  | 82234 Wessling
Germany                         |
Tel: 08153/28-2431              | E-mail: Hansjoerg.Maurer at dlr.de
Fax: 08153/28-1134              | WWW: http://www.robotic.dlr.de/

There are 10 types of people in this world, 
those who understand binary and those who don't.

More information about the samba mailing list