[Samba] Samba domain member and wheel group

Tom McLaughlin tmclaugh at sdf.lonestar.org
Wed Sep 7 01:06:22 GMT 2005

Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
as a domain member to an existing Windows domain with a Windows PDC.
The box running Samba has no local unix users and groups except for root
and the other builtin accounts.  All user authentication is done through
pam_winbind and user information is handled by winbind.  What I would
like to do is have users that are members of the Windows domian's Unix
Admin global group gain membership to the local unix wheel group when
they login via ssh to the Linux box.  Preferably without needing to
touch the /etc/groups file at all.

I've read chapters 11 and 12 of the Samba How-To and I tried the
following on the domain member running Samba based on the How-To:

net groupmap add ntgroup="Unix Admin" unixgroup=wheel

But when I ssh'ed in as my user who is a member of the Unix Admin group
and run `groups` I do not see myself as a member of the wheel group.  I
also can't alter files with wheel write permissions.  

After looking at the output of `net getdomainsid` and `net groupmap
list` (by this time I had already deleted the Unix Admin -> wheel
groupmap) I realized that the SIDs I see in the groupmap list correspond
to the SID of the local machine and not the domain.  I also see that
Unix Admin is not even listed as a group when I check the groups on the

[root at pinkfloyd ~]# net getdomainsid
SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200

[root at pinkfloyd ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1

My question is how should I be going about mapping my domain group
members so they gain membership to a local Unix group while they're
logged in?  I've read the chapters in the How-To but I'm definitely
missing something.  I realize now that I can't simply groupmap "Unix
Admin" to wheel so there must be some intermediate steps in between.
Can someone point me in the right direction?  Thanks.



# Global parameters
        workgroup = MEDITECH
        server string = Samba Server
        security = DOMAIN
        password server = meditech3
        log file = /var/log/samba/%m.log
        max log size = 50
        name resolve order = lmhosts wins bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = lb:, canton:
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        cups options = raw

        comment = Home Directories
        read only = No
        browseable = No

        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

        comment = Public Stuff
        path = /var/samba/public
        write list = "@Domain Server Admin"
        guest ok = Yes

BSD# Project - Mono on FreeBSD

More information about the samba mailing list