[Samba] net groupmap / domain admins problem - Amazon prize

Andrew Judge ajudge at grovenetworks.com
Thu Jan 8 15:56:49 GMT 2004 

Nope - it makes it's own SIDs.  To prove - it starts and ends with net
getlocalsid. Here is the output since I tried it again:

[root at fire2 root]# net getlocalsid
SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950
[root at fire2 root]# service smb stop
Shutting down SMB services:                                [  OK  ]
Shutting down NMB services:                                [  OK  ]
[root at fire2 root]# rm -f /var/cache/samba/group_mapping.tdb
[root at fire2 root]# service smb start
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]
[root at fire2 root]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
[root at fire2 root]# net getlocalsid
SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950

-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org]
Sent: Thursday, January 08, 2004 10:34 AM
To: Andrew Judge
Cc: Samba
Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize


On Thu, 8 Jan 2004, Andrew Judge wrote:

> Okay, I did all the below successfully.  I actually had the old SID from
the
> other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify
the
> NTUSER.DAT files
>
> Still no luck with the admin rights.  It will log into the domain and can
> see the domain groups and I can add them to local groups.  It even uses
the
> netlogon scripts.  Do you need more info?  I think we are close though.

Andy,

In the procedure I gave you rather specific steps. That was for a reason.
Maybe I should have explained each stpe a lot more fully.

Samba stores its Domain/Machine SID in the secrets.tdb file. When you
deleted the group_mapping.tdb file and then restarted Samba, it re-created
the group_mapping.tdb file with all the default accounts. When it did
this, the default accounts were initialized with the SID that was in the
secrets.tdb file.

I am guessing that you changed the SID _AFTER_ restarting Samba.

I was trying to get your SIDs uniform throughout with mimimum effort on
your part. By resetting the Domain SID, you undid what I was trying to get
you to rectify.

Your Windows clients will be very confused by the inconsistent SIDs. What
you did by resetting the SID would be expected to break everything again.

I am guessing that by running:
	net getlocalsid
your will now be able to confirm that the Samba Domain SID is the same as
your original Domain SID.

If you want this to work, you will have to repeat the steps I gave you
though. Domain security will not work unless the SIDS are consistent.

Cheers,
John T.

>
> Andy
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Wednesday, January 07, 2004 11:42 PM
> To: Andrew Judge
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize
>
> 1. Stop Samba
> 2. Delete the group_mapping.tdb file.
> 3. Restart Samba
> 	- the default Domain Groups will automatically be created if you
> 	  are NOT using LDAP ldapsam.
> 4. Map your groups as follows:
>
> net groupmap modify ntgroup="Domain Users" unixgroup=users
> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>
> Add any Domain Groups you may want. Do tie them to existing (manually
> created UNIX groups) eg:
>
> groupadd engineers
> net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
>
> groupadd ntadmins
> net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
>
>
> PS: If you have a problem with these commands email me, I'll help you.
>
>
> 5. Add all users who should have Domain Admin rights to the UNIX root
> group in /etc/group, like this:
>
> root:0::jht,jimbo,jack,jill
>
>
> 6. Add all users who should have Workstation Admin rights (Power Users) to
> the UNIX ntadmins group in /etc/group, like this:
>
> ntadmins:123::maryo,susant,billm
>
>
> 7. Verify that the groups are correctly mapped:
>
> net groupmap list.
>
>
> 8. Now: On every windows client machine add:
>
> 	a) Domain Admins to the Local Administrators Group
> 	b) Domain Power Users to the Local Power Users Group
>
>
> >
> > Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> > cahnged the SID to the last PDC.  Anyway, how would I get the right SID?
> I
> > have NTUSER.DAT files that I can run profiles against to read them.
Would
> > that help?
>
> You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
> NTUSER.DAT files.
>
> To obtain the domain SID just run:
>
> 	net getlocalsid
>
>
> >
> > First one that can point me in the right direction to get this
resolved -
> > I'll buy them a amazon gift cert for $50.  Beats going bald from pulling
> out
> > my hair.
>
> It's a deal man!
>
>
> - John T.
> --
> John H Terpstra
> Email: jht at samba.org
>

--
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list