[Samba] Group mapping: different SIDs

[Adam Nielsen]

> > net getlocalsid
> > SID for domain PDC is: S-1-5-21-4166838278-3756557259-2095403906

> > net getlocalsid DOMAIN
> >SID for domain DOMAIN is: S-1-5-21-2018781741-1218799122-1862565094

> The group mapping shows
> > Domain Users (S-1-5-21-4166838278-3756557259-2095403906-513) -> -1
> > Domain Admins (S-1-5-21-4166838278-3756557259-2095403906-512) -> -1

As indicated by the SID, these two groups are local groups, only stored
on the Samba machine.

> > domadmins (S-1-5-21-2018781741-1218799122-1862565094-512) -> ntadmin
> > domusers (S-1-5-21-2018781741-1218799122-1862565094-513) -> users

These two groups will *probably* (assuming the SID is correct) map
anyone in the domain's "Domain Admins" group to the local "ntadmin"
user group.

There are two "Domain Admins" groups here - one belongs to the domain
itself and is probably the one you want to map, the other only affects
the local machine, it's a local group.

> - the mapping relating of the self-defined ntgroups "domadmins" and
> "domusers" would have no effect in the domain?

Assuming you've used the correct SID, in theory anyone in the domain's
"Domain Admins" group will be mapped to the "ntadmin" UNIX group.

I say in theory, because I was unable to get group mapping to fully
work (it seems that if you run winbind the group mapping is for the
most part ignored.)

> How can I check the domain a pdc is in? Can I do this with "net rpc
> testjoin"?

When I run this it says "Join to 'DOMAIN' is OK"

> Can I fix that by deleting the mappings for "domadmins" and
> "domusers" and then mapping the "built-in" ntgroups "Domain Admins"
> and "Domain Users" with the correct SID as an additional parameter or
> would that cause chaos?

That would cause chaos, because I think Samba requires the local groups
to be present - I believe that you can add users to the local "Domain
Admins" group to give them admin access to Samba.

Cheers,
Adam.