[Samba] groupmap

Craig White craigwhite at azapple.com
Sat Nov 12 18:54:58 GMT 2005 

On Sat, 2005-11-12 at 15:48 +0000, Simon Faulkner wrote:
> Craig White wrote:
> > On Sat, 2005-11-12 at 13:28 +0000, Simon Faulkner wrote:
> > 
> >>Why would I have some NT domains more than once?
> >>
> >>Did I screp up my import with the Vampire?
> >>
> >>Should I delete the unmapped ones (Gulp!)
> >>
> >>[root at oxidepdc ~]# net groupmap list
> >>System Operators (S-1-5-32-549) -> -1
> >>Replicator (S-1-5-32-552) -> Replicator
> >>Guests (S-1-5-32-546) -> Guests
> >>Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) -> recipe
> >>Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) -> -1
> >>Domain Users (S-1-5-21-217354674-1388124147-264849902-513) -> -1
> >>Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) -> -1
> >>Power Users (S-1-5-32-547) -> -1
> >>Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) -> -1
> >>Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) -> -1
> >>Print Operators (S-1-5-32-550) -> -1
> >>Administrators (S-1-5-32-544) -> Administrators
> >>Sage (S-1-5-21-1019967034-149178136-1846952604-1005) -> Sage
> >>Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) -> -1
> >>Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) -> users
> >>Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) -> -1
> >>Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) -> root
> >>Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) -> -1
> >>Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) -> -1
> >>Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) -> nobody
> >>Account Operators (S-1-5-32-548) -> -1
> >>Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) -> -1
> >>Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) -> -1
> >>Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) -> -1
> >>Backup Operators (S-1-5-32-551) -> -1
> >>Users (S-1-5-32-545) -> Users
> >>Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) -> -1
> >>Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) -> acctsdep
> >>Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) -> -1
> >>Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) -> -1
> >>Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005) -> 
> >>finsrvcs
> >>Sales (S-1-5-21-1019967034-149178136-1846952604-1030) -> sales
> > 
> > -----
> > They are all different SID's 
> > 
> > There's only 1 of them that matters. The SID of your domain, the rest
> > are pretty much meaningless. It looks like you didn't follow the vampire
> > instructions closely enough. How about the users, what's their SID's
> > look like?
> > 
> > # net getlocalsid
> > 
> > # pdbedit -Lv|grep SID
> > 
> > # net groupmap list
> > 
> > The SID's should all the same...with the exception of the RID extensions
> > on the specific objects.
> > 
> > When you vampire, you must get the SID from the NT4 PDC, and then set
> > the samba box to the exact same SID, then vampire, then the users,
> > groups, machine accounts, etc. all have the same base SID
> > 
> > Craig
> 
> 
> [root at oxidepdc ~]# net getlocalsid
> [2005/11/12 15:48:20, 0] utils/net.c:net_getlocalsid(494)
>    Can't fetch domain SID for name: OXIDEPDC
> 
> I guess I am in trouble?
----
Let's keep this on the list so you can benefit from other perhaps more
knowledgeable or more insightful and perhaps they can benefit from the
resolution of your situation.

it does appear that there is a problem with your setup. At this point
you should try a tdbdump of your tdb passdb to see what it looks like
and if it is garbage, delete it and start all over. If it looks good,
you can net setlocalsid and it should take but the results of the other
commands I listed above 

I can tell you this much...I have never been satisfied with my first
pass ever on a vampire from an NT4 server. Generally, I have to fix
stuff up with my LDAP setup or smbldap-tools to get it exactly right. I
never use tdb passdb so I can't tell you the exact procedures but with
ldap passdb, I always slapcat the ldap db prior to doing the net rpc
vampire, check out the results in ldap, wipe it all out, restore from
the slapcat that I did previously, fix the things that aren't perfect
and do it again. It takes a few passes. The first time I ever migrated
an NT4 PDC to samba PDC, it probably took about 30 passes - but I tried
to be meticulous. Now, it probably takes me from 2-4 passes but I am
getting quite good at setting up ldap.

Good luck

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list