[Samba] Group mapping: different SIDs
adam.nielsen at uq.edu.au
Thu Nov 24 23:43:34 GMT 2005
> > net getlocalsid
> > SID for domain PDC is: S-1-5-21-4166838278-3756557259-2095403906
> > net getlocalsid DOMAIN
> >SID for domain DOMAIN is: S-1-5-21-2018781741-1218799122-1862565094
> The group mapping shows
> > Domain Users (S-1-5-21-4166838278-3756557259-2095403906-513) -> -1
> > Domain Admins (S-1-5-21-4166838278-3756557259-2095403906-512) -> -1
As indicated by the SID, these two groups are local groups, only stored
on the Samba machine.
> > domadmins (S-1-5-21-2018781741-1218799122-1862565094-512) -> ntadmin
> > domusers (S-1-5-21-2018781741-1218799122-1862565094-513) -> users
These two groups will *probably* (assuming the SID is correct) map
anyone in the domain's "Domain Admins" group to the local "ntadmin"
There are two "Domain Admins" groups here - one belongs to the domain
itself and is probably the one you want to map, the other only affects
the local machine, it's a local group.
> - the mapping relating of the self-defined ntgroups "domadmins" and
> "domusers" would have no effect in the domain?
Assuming you've used the correct SID, in theory anyone in the domain's
"Domain Admins" group will be mapped to the "ntadmin" UNIX group.
I say in theory, because I was unable to get group mapping to fully
work (it seems that if you run winbind the group mapping is for the
most part ignored.)
> How can I check the domain a pdc is in? Can I do this with "net rpc
When I run this it says "Join to 'DOMAIN' is OK"
> Can I fix that by deleting the mappings for "domadmins" and
> "domusers" and then mapping the "built-in" ntgroups "Domain Admins"
> and "Domain Users" with the correct SID as an additional parameter or
> would that cause chaos?
That would cause chaos, because I think Samba requires the local groups
to be present - I believe that you can add users to the local "Domain
Admins" group to give them admin access to Samba.
More information about the samba