[Samba] Group membership

Misty Stanley-Jones misty at borkholder.com
Tue Oct 12 22:04:38 GMT 2004

I am using Samba PDC with OpenLDAP2 and smbldap-tools.  As part of my 
logon.bat, I call a script called ifmember.exe.  This script can list out the 
groups a user is a member of.  It is reporting that my root user is a member 
of the group 'engr.'  I don't know if this is a bug with ifmember.exe or if 
it's an issue in Samba or in LDAP.  Here is some relevant data:

oink:/etc/smbldap-tools # smbldap-groupshow engr
dn: cn=engr,ou=groups,dc=borkholder,dc=com
cn: engr
gidNumber: 1001
memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
objectClass: top,posixGroup,sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001

oink:/usr/local/sbin # ./smbldap-usershow root
dn: cn=root,ou=people,dc=borkholder,dc=com
objectClass: account,posixAccount,top,sambaSamAccount
cn: root
uid: root
uidNumber: 0
gidNumber: 0
loginShell: /bin/bash
homeDirectory: /root
displayName: root
sambaPwdCanChange: 1095966471
sambaPwdMustChange: 2147483647
sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
sambaPwdLastSet: 1095966471
sambaAcctFlags: [U          ]
userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512

oink:/usr/local/sbin # net groupmap list
acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins
Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users
Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> 
Workgroup Computers
Administrators (S-1-5-32-544) -> Administrators
acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist
engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr

Is there anywhere else I can look to see why this command thinks I'm a member 
of the engr group?  I'm using nss_ldap on the server for authentication as 


More information about the samba mailing list