[Samba] Group mapping doesn't seem to be working

a.nielsen at research.uq.edu.au a.nielsen at research.uq.edu.au
Mon Nov 7 05:12:19 GMT 2005 

Hi everyone,

I'm having some trouble getting group mapping to work.  I want to have a
Samba share that contains a number of different folders, and some of those
folders will be restricted depending on the user's membership to certain
Active Directory groups.  I thought this could be done by mapping the Active
Directory groups to equivalent UNIX groups, and then using standard UNIX
permissions for access control.

This all seems to work, *except* the mapping between the Active Directory
groups and the local UNIX groups.  I tried to map the domain group directly
to a local UNIX group (with "net groupmap"), so that (for example):

  DOMAIN\Group1 => unixgrp1

But if I connect to the share as the user DOMAIN\User (who is a member of
DOMAIN\Group1) I am unable to create files in folders writable by unixgrp1.
If I make a world writable directory, files created by DOMAIN\User are owned
by DOMAIN\User with the group "DOMAIN\Domain Users" (of which this account
is also a member.)

If I run "groups DOMAIN\\User" it tells me that DOMAIN\User is a member of
the "DOMAIN\Domain Users" group, but that's all - it's like this is the
primary group and it's not listing any of the secondary groups.  If I run
"wbinfo --user-groups=DOMAIN\\User" then it lists about 20 automatically
allocated GIDs (such as 10002, 10003, 10005, etc.) so it looks like this is
picking up all the correct groups.

If I "chgrp DOMAIN\\Group1 unixfolder ; chmod g+ws" then I'm actually able
to write into that folder, and the files created belong to the
DOMAIN\\Group1 group, so it seems to be picking up somewhere that
DOMAIN\User is actually a member of DOMAIN\Group1.  This is what I expected
to happen when the directory was owned by "unixgrp1" (except all the files
would be owned by unixgrp1 instead), but it seems that the group mapping
isn't working as it only allows write access to DOMAIN\Group1 owned folders
and not "unixgrp1" owned folders, even though they should be identical
because of the group mapping.

This leads me to think that the group mapping is set up incorrectly, however
I can't see what I've done wrong:

$ wbinfo --name-to-sid=Group1
    or
$ wbinfo --name-to-sid=DOMAIN\\Group1

    both return:

S-1-5-21-620321403-24207062-1845911597-172256 Domain Group (2)

$ net groupmap add sid=S-1-5-21-620321403-24207062-1845911597-172256
ntgroup="Group1" unixgroup=unixgrp1 type=d
    or
$ net groupmap add sid=S-1-5-21-620321403-24207062-1845911597-172256
ntgroup="DOMAIN\\Group1" unixgroup=unixgrp1 type=d

    both report success:

$ net groupmap list

...
Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp
  or
DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp

Yet the group mapping still doesn't seem to work!  Have I done something
wrong, or does it just not work the way I want it to?

Thanks,
Adam.

More information about the samba mailing list