[Samba] Winbind - how to map ADS group to Unix group

Miles, Noal noal.miles at tdstelecom.com
Thu Mar 17 20:50:29 GMT 2005 

After much experimentation I think I can better frame this problem.  I
wanted to be able to map an ADS domain group to a local Unix group.  I also
wanted to be able to map ADS domain groups/accounts to ROOT.  For instance I
wanted all members of the ADS group Domain Admins to map to ROOT.  My Linux
box was joined to the ADS domian but is not running smbd.  Only winbindd is
running.
 
After experimenting with suggestions to use:
net groupmap
username map
 
I have come to the conclussion that these approaches only work for
interaction with smbd and don't help when all that is running is winbindd.
It seems to me these approaches work for controlling resources exposed via
(smbd).
 
I am running only winbindd because at this point I am not concerned with
sharing resources but more concerned with Single Sign On with ADS groups
mapped to having rights on Linux boxes.
 
So this is what I have learned.  Running winbindd only:
use "gpasswd -a "DOM\Account" unixgroup" will add a ADS domain account to a
local *nix group
 
setting "winbind trusted domains only = yes" and then creating each domain
account locally I can make a domain admin account = ROOT, but of course this
means I have to create each account locally which is no fun (I think this is
what Choudary Mumtaz was proposing).
 
THE QUESTION:  I think at this point I may be trying to make winbindd work
in a way it wasn't really designed to.  As a next step I was thinking of
trying to edit the winbind DB and manually set the GID of Domain Admins to 0
or group Domain Users to 503.  As far as I can tell there is not a command
line interface to change the mappings within the winbindd DB.  Does this
make sense?
 
Thanks,
Noal
 
 

-----Original Message-----
From: Choudary Mumtaz [mailto:asadmumtaz1 at yahoo.com] 
Sent: Thursday, March 03, 2005 6:30 PM
To: Miles, Noal; 'Gerald (Jerry) Carter'
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] Winbind - how to map ADS group to Unix group


It might be a very silly way to do it, but this is how I accomplished it as
I never got any help from the group during my setup. Most of the tools
provided by Samba didn't work for me, and I haven't been able to figure out
the problem. 
I have added all the respective SAMBA groups to local /etc/group, so here
you may make test2 member of "Domain Users" group, and it will work. If you
would like a take a quick look at my setup, please feel free to visit
http://www.miracletechs.com/sambainstall.html
<http://www.miracletechs.com/sambainstall.html> .
Thank you.

"Miles, Noal" <noal.miles at tdstelecom.com> wrote:

Winbind is configured for ads.
I want "Domain\Domain Users" to be members of local linux group "test2".

I created a local group on the linux box:
Groupadd -u 502 test2

I have tried net groupmap addmem, it tells me the syntax is 
Net groupmap addmem alias-sid member-sid

There is no SID for test2 so how can I use "net groupmap addmem"?
Wbinfo -G 502
Cannot convert gid 502 to sid

Net groupmap add ntgroup="Domain\Domain Users" unixgroup=test2
Successfully added group "Domain\Domain Users" to the mapping db

Getent group test2
Test2:x:502:
So this doesn't work either.

I have also tried username map in smb.conf with no success.

I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal


-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miles, Noal wrote:

| OK I set "winbind nested group = yes"

use `net groupmap {addmem,delmem,listmem}'




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=
=/mab
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the samba mailing list