[Samba] net groupmap / domain admins problem - Amazon prize

John H Terpstra jht at samba.org
Thu Jan 8 17:09:08 GMT 2004 

Andrew,

You have something rather strange going on here. The following is the
result of running these steps on my system:

frodo:/etc/samba # net setlocalsid
S-1-5-21-1206063004-3966108128-1487570950
frodo:/etc/samba # net getlocalsid
SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950
frodo:/etc/samba # samba start
Starting SAMBA nmbd :
done
cups  on
Waiting for cupsd to get ready
done
Starting SAMBA smbd :
done
Starting SAMBA winbind :
done
frodo:/etc/samba # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) -> -1
Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
frodo:/etc/samba # net getlocalsid
SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950

Note: The SIDs are consistent.

I have been unable to reproduce the observations you have. Please would
you email me your secrets.tdb file (off-line). i'd like to see if there is
something weird in it.

Other than that, please move your secrets.tdb file to a backup location.
Make sure samba is NOT running when you do this. Then delete the
group_mapping.tdb file, then restart Samba.

Then check the value of the Domain SID from:
	net getlocalsid
	net groupmap list

I'd like to help track this one down.

Cheers,
John T.


On Thu, 8 Jan 2004, Andrew Judge wrote:

> Nope - it makes it's own SIDs.  To prove - it starts and ends with net
> getlocalsid. Here is the output since I tried it again:
>
> [root at fire2 root]# net getlocalsid
> SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950
> [root at fire2 root]# service smb stop
> Shutting down SMB services:                                [  OK  ]
> Shutting down NMB services:                                [  OK  ]
> [root at fire2 root]# rm -f /var/cache/samba/group_mapping.tdb
> [root at fire2 root]# service smb start
> Starting SMB services:                                     [  OK  ]
> Starting NMB services:                                     [  OK  ]
> [root at fire2 root]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1
> Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> [root at fire2 root]# net getlocalsid
> SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Thursday, January 08, 2004 10:34 AM
> To: Andrew Judge
> Cc: Samba
> Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize
>
>
> On Thu, 8 Jan 2004, Andrew Judge wrote:
>
> > Okay, I did all the below successfully.  I actually had the old SID from
> the
> > other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify
> the
> > NTUSER.DAT files
> >
> > Still no luck with the admin rights.  It will log into the domain and can
> > see the domain groups and I can add them to local groups.  It even uses
> the
> > netlogon scripts.  Do you need more info?  I think we are close though.
>
> Andy,
>
> In the procedure I gave you rather specific steps. That was for a reason.
> Maybe I should have explained each stpe a lot more fully.
>
> Samba stores its Domain/Machine SID in the secrets.tdb file. When you
> deleted the group_mapping.tdb file and then restarted Samba, it re-created
> the group_mapping.tdb file with all the default accounts. When it did
> this, the default accounts were initialized with the SID that was in the
> secrets.tdb file.
>
> I am guessing that you changed the SID _AFTER_ restarting Samba.
>
> I was trying to get your SIDs uniform throughout with mimimum effort on
> your part. By resetting the Domain SID, you undid what I was trying to get
> you to rectify.
>
> Your Windows clients will be very confused by the inconsistent SIDs. What
> you did by resetting the SID would be expected to break everything again.
>
> I am guessing that by running:
> 	net getlocalsid
> your will now be able to confirm that the Samba Domain SID is the same as
> your original Domain SID.
>
> If you want this to work, you will have to repeat the steps I gave you
> though. Domain security will not work unless the SIDS are consistent.
>
> Cheers,
> John T.
>
> >
> > Andy
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Wednesday, January 07, 2004 11:42 PM
> > To: Andrew Judge
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize
> >
> > 1. Stop Samba
> > 2. Delete the group_mapping.tdb file.
> > 3. Restart Samba
> > 	- the default Domain Groups will automatically be created if you
> > 	  are NOT using LDAP ldapsam.
> > 4. Map your groups as follows:
> >
> > net groupmap modify ntgroup="Domain Users" unixgroup=users
> > net groupmap modify ntgroup="Domain Admins" unixgroup=root
> > net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
> >
> > Add any Domain Groups you may want. Do tie them to existing (manually
> > created UNIX groups) eg:
> >
> > groupadd engineers
> > net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
> >
> > groupadd ntadmins
> > net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
> >
> >
> > PS: If you have a problem with these commands email me, I'll help you.
> >
> >
> > 5. Add all users who should have Domain Admin rights to the UNIX root
> > group in /etc/group, like this:
> >
> > root:0::jht,jimbo,jack,jill
> >
> >
> > 6. Add all users who should have Workstation Admin rights (Power Users) to
> > the UNIX ntadmins group in /etc/group, like this:
> >
> > ntadmins:123::maryo,susant,billm
> >
> >
> > 7. Verify that the groups are correctly mapped:
> >
> > net groupmap list.
> >
> >
> > 8. Now: On every windows client machine add:
> >
> > 	a) Domain Admins to the Local Administrators Group
> > 	b) Domain Power Users to the Local Power Users Group
> >
> >
> > >
> > > Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> > > cahnged the SID to the last PDC.  Anyway, how would I get the right SID?
> > I
> > > have NTUSER.DAT files that I can run profiles against to read them.
> Would
> > > that help?
> >
> > You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
> > NTUSER.DAT files.
> >
> > To obtain the domain SID just run:
> >
> > 	net getlocalsid
> >
> >
> > >
> > > First one that can point me in the right direction to get this
> resolved -
> > > I'll buy them a amazon gift cert for $50.  Beats going bald from pulling
> > out
> > > my hair.
> >
> > It's a deal man!
> >
> >
> > - John T.
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>
> --
> John H Terpstra
> Email: jht at samba.org
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list