WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hansjoerg.Maurer at dlr.de
Thu Jan 8 07:47:32 GMT 2004
i have a question related to the groupmapping with ldapsam as backend.
You discribed, that groupentries have to be in /etc/group with tdbsam as
I recognized, that samba 3,0.1 with ldapsam does not recognize secondary
groups in ldap.
(e.g for accessing a share)
The problem is described by kent at wareham.k12.ma.us to (see his email
Do secondary groups have to be in /etc/groups in order to be recognized
by samba even with ldapsam?
Thank you very much
I found an interesting thing that I don't know if it is a bug, by design
or I need to be doing something that I'm not but here goes.
RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
(3) BDC with LDAP slave backend. All are Samba 3.0.
I had a probelem with secondary, tertiary etc groups that people belong
to and Samba recognizing these groups if they were stored in LDAP. The
primary group was no problem. When I created shares but used
"@groupname" for valid users or write list, Samba would fail to get
that info from LDAP. They needed to be in /etc/group to work. As soon as
I added users in secondary groups to /etc/group users were recognized
and rights were assigned.
As a side note each line of /etc/group is limited to 1024 bytes, so
there is a limit on how many users you can add to a group using
/etc/group. If you exceed that when the system scans the /etc/group
file, it will fail at the line >1024 bytes and any groups below will
fail to be recognized. I believe that this is a bug. If you do "ls" on a
directory or "id <username>" where one of the entries in your /etc/group
has exceeded the limit, the groups will show as numbers and not a group
Can I use pam_winbindd to extract group membership from LDAP at this
time for secondary, tertiary etc groups?
John H Terpstra wrote:
>On Wed, 7 Jan 2004, Andrew Judge wrote:
>>I think that most of my problems are somewhat resolved except for this last
>>one. I can not get domain admin rights to the ntadmins users. I get the
>>following output for groupmaps:
>>[root at fire2 i386]# net groupmap list
>>System Operators (S-1-5-32-549) -> -1
>>Replicators (S-1-5-32-552) -> -1
>>Guests (S-1-5-32-546) -> -1
>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users
>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
>>Power Users (S-1-5-32-547) -> -1
>>Print Operators (S-1-5-32-550) -> -1
>>Administrators (S-1-5-32-544) -> -1
>>Account Operators (S-1-5-32-548) -> -1
>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins
>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1
>>Backup Operators (S-1-5-32-551) -> -1
>>Users (S-1-5-32-545) -> -1
>>Obviously there is a problem with the domain '*' SID because there are
>>duplicates. Any idea how to correct this problem and get the users logged
>>in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I
>>can see the users from the samba server and the users can log in, but no
>>rights. Big problem.
>Ok. Roll up your sleeves!
>I am presuming that you are NOT using and LDAP backend, that you still are
>using an smbpasswd backend datafile.
>1. Stop Samba
>2. Delete the group_mapping.tdb file.
>3. Restart Samba
> - the default Domain Groups will automatically be created if you
> are NOT using LDAP ldapsam.
>4. Map your groups as follows:
>net groupmap modify ntgroup="Domain Users" unixgroup=users
>net groupmap modify ntgroup="Domain Admins" unixgroup=root
>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>Add any Domain Groups you may want. Do tie them to existing (manually
>created UNIX groups) eg:
>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
>PS: If you have a problem with these commands email me, I'll help you.
>5. Add all users who should have Domain Admin rights to the UNIX root
>group in /etc/group, like this:
>6. Add all users who should have Workstation Admin rights (Power Users) to
>the UNIX ntadmins group in /etc/group, like this:
>7. Verify that the groups are correctly mapped:
>net groupmap list.
>8. Now: On every windows client machine add:
> a) Domain Admins to the Local Administrators Group
> b) Domain Power Users to the Local Power Users Group
>>Now... I migrated from 2.2.3a to the above and I have all the tdb and I
>>cahnged the SID to the last PDC. Anyway, how would I get the right SID? I
>>have NTUSER.DAT files that I can run profiles against to read them. Would
>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
>To obtain the domain SID just run:
> net getlocalsid
>>First one that can point me in the right direction to get this resolved -
>>I'll buy them a amazon gift cert for $50. Beats going bald from pulling out
>It's a deal man!
>- John T.
Dr. Hansjoerg Maurer | LAN- & System-Manager
Deutsches Zentrum | DLR Oberpfaffenhofen
f. Luft- und Raumfahrt e.V. |
Institut f. Robotik |
Postfach 1116 | Muenchner Strasse 20
82230 Wessling | 82234 Wessling
Tel: 08153/28-2431 | E-mail: Hansjoerg.Maurer at dlr.de
Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/
There are 10 types of people in this world,
those who understand binary and those who don't.
More information about the samba