[Samba] GroupMap Issues

Craig White craigwhite at azapple.com
Fri Jan 30 04:39:42 GMT 2004 

On Thu, 2004-01-29 at 19:33, Jason Gray wrote:
> I have been trying to figure out what this error is:
> 
> Jan 29 18:23:07 dc2 smbd[20729]: [2004/01/29 18:23:07, 0]
> rpc_server/srv_util.c:get_domain_user_groups(371)
> Jan 29 18:23:07 dc2 smbd[20729]:   get_domain_user_groups: primary gid of
> user [barbara] is not a Domain group !
> Jan 29 18:23:07 dc2 smbd[20729]:   get_domain_user_groups: You should fix
> it, NT doesn't like that
> Jan 29 18:23:08 dc2 smbd[20729]: [2004/01/29 18:23:08, 0]
> rpc_server/srv_util.c:get_alias_user_groups(219)
> Jan 29 18:23:08 dc2 smbd[20729]:   get_alias_user_groups: gid of user
> barbara doesn't exist. Check your /etc/passwd and /etc/group files
> 
> I thought I fixed the error but it keeps coming back.  My only concern is
> that it is slowing network access down.  Is this an error I should be
> worried about?  I'm using LDAP as my backend so why Samba is checking the
> /etc/passwd and /etc/group files is strange.  I have the nsswitch setup to
> check "files ldap winbind".
> 
> Is this error due to the fact that Samba checks the files first, can't kind
> the users, then goes onto ldap?
> 
> It's kind of annoying cuz I don't know if the error is a problem or not.
---
most errors should be considered problems

gid of user barbara doesn't exist - primary gid of user barbara not a
Domain group ! NT doesn't like that

You are gonna need to fix these things...
sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-513

substitute your sid for this value - the end -513 stands for the
'built-in' "Domain Users" group, a very good idea for most users on the
network (obvious exceptions are unprivileged users)

If you actually understand LDAP and can manipulate the information, a
group would look like this...
dn: cn=Domain Users,ou=Groups,o=Mullen,c=US
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 1008
sambaSID: S-1-5-21-1292501092-333717336-619646970-513
sambaGroupType: 2
displayName: Domain Users
description: All domain users
creatorsName: cn=root,o=Mullen,c=US
createTimestamp: 20040121055900Z
memberUid: root
memberUid: artstation
memberUid: Administrator

and so on with many members...

any posix group can be a sambaDomainGroup - the requisite items are:
objectclass: sambaGroupMapping
cn:
displayName:
gidNumber:
sambaSID: #which can't belong to anything else, best to number the last
extension over 1000
sambaGroupType: #2 for Domain group - 5 for local group

if there is no group mapping for a particular sambaSID, then you could
use the net groupmap add command to create these values.

if there is a group mapping for a particular sambaSID, then you can use
the net groupmap modify command but I have to tell you, I find it
infinitely easier and more direct to change these either directly
through ldif or through phpldapadmin.

YMMV

Craig

More information about the samba mailing list