[Samba] net groupmap / domain admins problem - Amazon prize

John H Terpstra jht at samba.org
Thu Jan 8 15:33:32 GMT 2004

On Thu, 8 Jan 2004, Andrew Judge wrote:

> Okay, I did all the below successfully.  I actually had the old SID from the
> other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the
> NTUSER.DAT files
> Still no luck with the admin rights.  It will log into the domain and can
> see the domain groups and I can add them to local groups.  It even uses the
> netlogon scripts.  Do you need more info?  I think we are close though.


In the procedure I gave you rather specific steps. That was for a reason.
Maybe I should have explained each stpe a lot more fully.

Samba stores its Domain/Machine SID in the secrets.tdb file. When you
deleted the group_mapping.tdb file and then restarted Samba, it re-created
the group_mapping.tdb file with all the default accounts. When it did
this, the default accounts were initialized with the SID that was in the
secrets.tdb file.

I am guessing that you changed the SID _AFTER_ restarting Samba.

I was trying to get your SIDs uniform throughout with mimimum effort on
your part. By resetting the Domain SID, you undid what I was trying to get
you to rectify.

Your Windows clients will be very confused by the inconsistent SIDs. What
you did by resetting the SID would be expected to break everything again.

I am guessing that by running:
	net getlocalsid
your will now be able to confirm that the Samba Domain SID is the same as
your original Domain SID.

If you want this to work, you will have to repeat the steps I gave you
though. Domain security will not work unless the SIDS are consistent.

John T.

> Andy
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Wednesday, January 07, 2004 11:42 PM
> To: Andrew Judge
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize
> 1. Stop Samba
> 2. Delete the group_mapping.tdb file.
> 3. Restart Samba
> 	- the default Domain Groups will automatically be created if you
> 	  are NOT using LDAP ldapsam.
> 4. Map your groups as follows:
> net groupmap modify ntgroup="Domain Users" unixgroup=users
> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
> Add any Domain Groups you may want. Do tie them to existing (manually
> created UNIX groups) eg:
> groupadd engineers
> net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
> groupadd ntadmins
> net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
> PS: If you have a problem with these commands email me, I'll help you.
> 5. Add all users who should have Domain Admin rights to the UNIX root
> group in /etc/group, like this:
> root:0::jht,jimbo,jack,jill
> 6. Add all users who should have Workstation Admin rights (Power Users) to
> the UNIX ntadmins group in /etc/group, like this:
> ntadmins:123::maryo,susant,billm
> 7. Verify that the groups are correctly mapped:
> net groupmap list.
> 8. Now: On every windows client machine add:
> 	a) Domain Admins to the Local Administrators Group
> 	b) Domain Power Users to the Local Power Users Group
> >
> > Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> > cahnged the SID to the last PDC.  Anyway, how would I get the right SID?
> I
> > have NTUSER.DAT files that I can run profiles against to read them.  Would
> > that help?
> You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
> NTUSER.DAT files.
> To obtain the domain SID just run:
> 	net getlocalsid
> >
> > First one that can point me in the right direction to get this resolved -
> > I'll buy them a amazon gift cert for $50.  Beats going bald from pulling
> out
> > my hair.
> It's a deal man!
> - John T.
> --
> John H Terpstra
> Email: jht at samba.org

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list