[Samba] groupmap not working correctly

Buchan Milne bgmilne at obsidian.co.za
Fri May 7 08:47:03 GMT 2004

On Thu, 6 May 2004, Stephen Touset wrote:

> Currently, my company is trying to deploy a Samba 3.0 server with an 
> LDAP back end, for domain authentication. Everything's going extremely 
> well so far except for one facet: net groupmap doesn't seem to play well 
> with LDAP. I can make the mappings just fine:
> hank:/var# net groupmap list
> Domain Users (S-1-5-21-616220168-3974143565-3883354751-513) -> users
> Domain Admins (S-1-5-21-616220168-3974143565-3883354751-512) -> wheel
> However, when it comes to actually giving these users the permissions, 
> it isn't done. Members of wheel aren't given Administrative privilege on 
> Domain Member machines. And I can't seem to figure out if there's a way 
> to view the membership of a group through Windows dialogs, so I can 
> verify whether or not the correct users are indeed members.
> Has anyone else had a problem similar to this, or can give me pointers 
> as to where to proceed from here?

You need to ensure that the unix group memberships are correct on the 
domain controller (ie 'groups $user'). Especially since you are re-using 
pre-existing unix groups (which can cause confusion on the part of the nss 
service if the groups exist both in local files and in LDAP).

I would suggest that you use new unix groups (or be very careful with your 
nss set up etc).


More information about the samba mailing list