[Samba] Group mapping giving incorrect GIDs

Eric Roseme eroseme at emonster.rose.hp.com
Wed Nov 9 16:14:27 GMT 2005


a.nielsen at research.uq.edu.au wrote:

>Hi,
>
>I think I've narrowed down my problem to the fact that the group mapping is
>not giving me the same GID for all 'equivalent' groups, as seen here:
>
>$ net groupmap list
>DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp1
>
>$ getent group unixgrp1
>unixgrp1:x:203:
>
>$ getent group DOMAIN\\Group1
>DOMAIN\Group1:x:10001:DOMAIN\User1
>
>This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1
>is completely different!  Given the group mapping, I was expecting that both
>groups would be returned with a GID of 203, so that according to the Linux
>box both those groups are the same.
>
>As it stands now, when DOMAIN\User1 connects, it's using a GID of 10001
>which has no access to the filesystem.  It should be connecting as GID 203,
>which has the correct filesystem permissions.
>
>Is what I'm trying to do even possible?
>
>Thanks,
>Adam.
>  
>
Hi Adam,

Just so you do not feel abandoned - I have gotten the same results when 
trying a similar operation.  In my case, I was trying to use a mapped 
group on "valid users = @mapped".  That does not work at all.  I also 
could not make it work with ACLs.  A co-worked did some additional 
testing and could get mapped groups to work on ugo permissions, but only 
with "security = user", not "security = ads".

If my co-worker and I can characterize the behavior more accurately, 
I'll write up what we find for posterity.

Eric Roseme
Hewlett-Packard



More information about the samba mailing list