[Samba] Re: Group membership

Igor Belyi sambauser at katehok.ac93.org
Sun Oct 17 03:23:10 GMT 2004

Ok, the logic goes like this...

If you want to use root for Domain administration purposes it has to be 
in the Domain user database.
If it's a Domain user its primary group should be a Domain group.
All Domain groups in Samba are mappings from UNIX groups into SIDs.
If mapping for a particular gid is not present it will be created 
automatically using arithmetic approach.

Therefore, if you want your root user to keep its primary gid but to be 
associated with a Domain group 'Domain Admins' the best approach will be 
to map this Domain group into UNIX group 'root' instead of creating 
additional UNIX group 'Domain Admins'.

Another approach will be to use some other user to administer your 
Domain and put it into 'admin users' list in smb.conf then you will be 
free to choose any primary group for it you like just keep the 
consistency between gidNumber and sambaPrimaryGroupSID. All users in the 
'admin users' list are forced into been root when they access Samba so 
you will have the same control you would have with root.

I don't know why this is not documented... I don't read documentation 
that often.. I do know though that Samba team welcomes all suggestions 
to make documentation better. If you know which part of the 
documentation got you confused - let them know how to make it more clear.

Hope it helps,

Misty Stanley-Jones wrote:

>This doesn't make sense.  My root user needs to be gid=0 for all of my UNIX 
>systems that I have auth'ing against the DB.  Will it resolve this if I make 
>the primaryGroupSID of root to be the one of Domain Admins?  This isn't 
>documented anywhere that I can tell.  Thank you for your help, by the way.
>On Saturday 16 October 2004 06:16 pm, you wrote:
>>The trick is in you picking SID by yourself. :o)
>>sambaPrimaryGroupSID: should always be either explicit mapping of
>>gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber *
>>2) + 'rid base' + 1. Your problem is that you have inconsistency in you
>>root's setup. As a result its primary group 0 gets mapped into RID 1001
>>which corresponds to engr.
>>You can do one of the following:
>>1. change gidNumber of the cn=root to that of the 'Domain Admins' or
>>2. change the name of gid=0 to be 'Domain Admins' or
>>3. change mapping 'Domain Admins -> root'
>>I would also recommend to use arithmetic gidNumber -> SID mapping unless
>>you are mapping predefined Windows RIDs.
>>Hope it helps,
>>Misty Stanley-Jones wrote:
>>>I am using Samba PDC with OpenLDAP2 and smbldap-tools.  As part of my
>>>logon.bat, I call a script called ifmember.exe.  This script can list out
>>>the groups a user is a member of.  It is reporting that my root user is a
>>>member of the group 'engr.'  I don't know if this is a bug with
>>>ifmember.exe or if it's an issue in Samba or in LDAP.  Here is some
>>>relevant data:
>>>oink:/etc/smbldap-tools # smbldap-groupshow engr
>>>dn: cn=engr,ou=groups,dc=borkholder,dc=com
>>>cn: engr
>>>gidNumber: 1001
>>>memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
>>>objectClass: top,posixGroup,sambaGroupMapping
>>>sambaGroupType: 2
>>>sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
>>>oink:/usr/local/sbin # ./smbldap-usershow root
>>>dn: cn=root,ou=people,dc=borkholder,dc=com
>>>objectClass: account,posixAccount,top,sambaSamAccount
>>>cn: root
>>>uid: root
>>>uidNumber: 0
>>>gidNumber: 0
>>>loginShell: /bin/bash
>>>homeDirectory: /root
>>>displayName: root
>>>sambaPwdCanChange: 1095966471
>>>sambaPwdMustChange: 2147483647
>>>sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
>>>sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
>>>sambaPwdLastSet: 1095966471
>>>sambaAcctFlags: [U          ]
>>>userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
>>>sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
>>>sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
>>>oink:/usr/local/sbin # net groupmap list
>>>acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin
>>>truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss
>>>hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr
>>>furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture
>>>dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch
>>>Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain
>>>Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) ->
>>>Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514)
>>>-> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators
>>>Backup Operators (S-1-5-32-551) -> Backup Operators
>>>Replicators (S-1-5-32-552) -> Replicators
>>>Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) ->
>>>Workgroup Computers
>>>Administrators (S-1-5-32-544) -> Administrators
>>>acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct
>>>receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) ->
>>>receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
>>>Is there anywhere else I can look to see why this command thinks I'm a
>>>member of the engr group?  I'm using nss_ldap on the server for
>>>authentication as well.

More information about the samba mailing list