[Samba] Re: Group membership

Sat Oct 16 23:16:48 GMT 2004

The trick is in you picking SID by yourself. :o)

sambaPrimaryGroupSID: should always be either explicit mapping of 
gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber * 
2) + 'rid base' + 1. Your problem is that you have inconsistency in you 
root's setup. As a result its primary group 0 gets mapped into RID 1001 
which corresponds to engr.

You can do one of the following:
1. change gidNumber of the cn=root to that of the 'Domain Admins' or
2. change the name of gid=0 to be 'Domain Admins' or
3. change mapping 'Domain Admins -> root'

I would also recommend to use arithmetic gidNumber -> SID mapping unless 
you are mapping predefined Windows RIDs.

Hope it helps,
Igor

Misty Stanley-Jones wrote:
> I am using Samba PDC with OpenLDAP2 and smbldap-tools.  As part of my 
> logon.bat, I call a script called ifmember.exe.  This script can list out the 
> groups a user is a member of.  It is reporting that my root user is a member 
> of the group 'engr.'  I don't know if this is a bug with ifmember.exe or if 
> it's an issue in Samba or in LDAP.  Here is some relevant data:
> 
> oink:/etc/smbldap-tools # smbldap-groupshow engr
> dn: cn=engr,ou=groups,dc=borkholder,dc=com
> cn: engr
> gidNumber: 1001
> memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
> objectClass: top,posixGroup,sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
> 
> oink:/usr/local/sbin # ./smbldap-usershow root
> dn: cn=root,ou=people,dc=borkholder,dc=com
> objectClass: account,posixAccount,top,sambaSamAccount
> cn: root
> uid: root
> uidNumber: 0
> gidNumber: 0
> loginShell: /bin/bash
> homeDirectory: /root
> displayName: root
> sambaPwdCanChange: 1095966471
> sambaPwdMustChange: 2147483647
> sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
> sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
> sambaPasswordHistory: 
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1095966471
> sambaAcctFlags: [U          ]
> userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
> sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
> sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
> 
> oink:/usr/local/sbin # net groupmap list
> acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
> truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
> hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
> furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
> dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
> Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins
> Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users
> Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> 
> Workgroup Computers
> Administrators (S-1-5-32-544) -> Administrators
> acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
> receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist
> engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
> 
> Is there anywhere else I can look to see why this command thinks I'm a member 
> of the engr group?  I'm using nss_ldap on the server for authentication as 
> well.
> 
> Misty
> 