[Samba] Re: Group membership
Igor Belyi
sambauser at katehok.ac93.org
Sat Oct 16 23:16:48 GMT 2004
The trick is in you picking SID by yourself. :o)
sambaPrimaryGroupSID: should always be either explicit mapping of
gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber *
2) + 'rid base' + 1. Your problem is that you have inconsistency in you
root's setup. As a result its primary group 0 gets mapped into RID 1001
which corresponds to engr.
You can do one of the following:
1. change gidNumber of the cn=root to that of the 'Domain Admins' or
2. change the name of gid=0 to be 'Domain Admins' or
3. change mapping 'Domain Admins -> root'
I would also recommend to use arithmetic gidNumber -> SID mapping unless
you are mapping predefined Windows RIDs.
Hope it helps,
Igor
Misty Stanley-Jones wrote:
> I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
> logon.bat, I call a script called ifmember.exe. This script can list out the
> groups a user is a member of. It is reporting that my root user is a member
> of the group 'engr.' I don't know if this is a bug with ifmember.exe or if
> it's an issue in Samba or in LDAP. Here is some relevant data:
>
> oink:/etc/smbldap-tools # smbldap-groupshow engr
> dn: cn=engr,ou=groups,dc=borkholder,dc=com
> cn: engr
> gidNumber: 1001
> memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
> objectClass: top,posixGroup,sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
>
> oink:/usr/local/sbin # ./smbldap-usershow root
> dn: cn=root,ou=people,dc=borkholder,dc=com
> objectClass: account,posixAccount,top,sambaSamAccount
> cn: root
> uid: root
> uidNumber: 0
> gidNumber: 0
> loginShell: /bin/bash
> homeDirectory: /root
> displayName: root
> sambaPwdCanChange: 1095966471
> sambaPwdMustChange: 2147483647
> sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
> sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1095966471
> sambaAcctFlags: [U ]
> userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
> sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
>
> oink:/usr/local/sbin # net groupmap list
> acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
> truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
> hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
> furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
> dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
> Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins
> Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users
> Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) ->
> Workgroup Computers
> Administrators (S-1-5-32-544) -> Administrators
> acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
> receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist
> engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
>
> Is there anywhere else I can look to see why this command thinks I'm a member
> of the engr group? I'm using nss_ldap on the server for authentication as
> well.
>
> Misty
>
More information about the samba
mailing list