[Samba] Time to straighten out groupmap

Craig White craigwhite at azapple.com
Mon Jan 19 06:33:15 GMT 2004 

I need to clean up the groupmap setup - samba 3.0.0 / ldapsam

Although I'm spitting out a fair amount of information, I'm going to
concentrate on the Administrators entry which appears twice, this
doesn't seem good...

# net groupmap list
Administrators (S-1-5-21-1292501092-333717336-619646970-544) -> root
Backup Operators (S-1-5-21-1292501092-333717336-619646970-551) -> bin
Replicators (S-1-5-21-1292501092-333717336-619646970-552) -> daemon
System Operators (S-1-5-21-1292501092-333717336-619646970-549) -> sys
Domain Admins (S-1-5-21-1292501092-333717336-619646970-512) -> adm
Print Operators (S-1-5-21-1292501092-333717336-619646970-550) -> lp
Domain Guests (S-1-5-21-1292501092-333717336-619646970-514) -> nobody
Users (S-1-5-32-545) -> users
Domain Users (S-1-5-21-1292501092-333717336-619646970-513) -> users-all
Domain Computers (S-1-5-21-1292501092-333717336-619646970-515) ->
machines
Public Relations (S-1-5-21-1292501092-333717336-619646970-1021) ->
users-pr
Macintosh Users (S-1-5-21-1292501092-333717336-619646970-1049) ->
users-adv
Accounting (S-1-5-21-1292501092-333717336-619646970-1008) -> users-acctg
Domain Admins (S-1-5-21-1292501092-333717336-619646970-512) -> Domain
Admins
Domain Users (S-1-5-21-1292501092-333717336-619646970-513) -> Domain
Users
Domain Guests (S-1-5-21-1292501092-333717336-619646970-514) -> Domain
Guests
Accounting (S-1-5-21-1292501092-333717336-619646970-1008) -> Accounting
Public Relations (S-1-5-21-1292501092-333717336-619646970-1021) ->
Public Relations
Macintosh Users (S-1-5-21-1292501092-333717336-619646970-1049) ->
Macintosh Users
MTS Impersonators (S-1-5-21-1292501092-333717336-619646970-1003) -> MTS
Impersonators
WWW access (S-1-5-21-1292501092-333717336-619646970-1015) -> WWW access
Account Operators (S-1-5-32-548) -> Account Operators
Administrators (S-1-5-32-544) -> Administrators
Backup Operators (S-1-5-32-551) -> Backup Operators
Guests (S-1-5-32-546) -> Guests
Print Operators (S-1-5-32-550) -> Print Operators
Replicator (S-1-5-32-552) -> Replicator
Server Operators (S-1-5-32-549) -> Server Operators
Domain Computers (S-1-5-21-1292501092-333717336-619646970-553) -> Domain
Computers

I guess that I need a better overview to fix the LDAP setup

I have a group root - 

cn: cn=root,ou=Groups,o=Domain,c=US 

objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: root
userPassword:: e2NyeXB0fXg=
gidNumber: 0
creatorsName: cn=root,o=Domain,c=US
createTimestamp: 20031227024133Z
sambaSID: S-1-5-21-1292501092-333717336-619646970-544
sambaGroupType: 2
displayName: Administrators
description: Local Unix group
modifiersName: cn=root,o=Domain,c=US
modifyTimestamp: 20031227043956Z


NOTE - displayName: Administrators
and I have a group Administrators

dn: cn=Administrators,ou=Groups,o=Domain,c=US 

objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Administrators
gidNumber: 1016
creatorsName: cn=root,o=Domain,c=US
createTimestamp: 20031227025306Z
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
description: Members can fully administer the computer/domain
memberUid: Administrator
memberUid: kbenedetto
modifiersName: cn=root,o=Domain,c=US
modifyTimestamp: 20031227214759Z

This is what I believe happened and how I would fix it - please tell me if I am on target or off base.

I created the users and groups from padl migration scripts
I then net rpc vampire from the Windows NT PDC
I then ran a groupmap command that included...
net groupmap add sid=S-1-5-21-1292501092-333717336-619646970-544 ntgroup="Administrators" unixgroup=root

-
I believe that samba uses the displayName attribute for Groups and my problem is that I have 2 Groups with that display name.

The sambaSID: S-1-5-32-544 of the Administrators group isn't correct. The sambaSID should be the full domain SID and the RID right?

Thus my conclusion is that I should get rid of the one that came from net rpc vampire and keep the 'cn=root,ou=Groups,o=Domain,c=US

And then I repeat for all groups which have more than 1 entry in the net groupmap list.

Correct?

Craig

More information about the samba mailing list