[Samba] domain group mapping in 3.0.23a issues
jmason at lim.com
Fri Aug 4 19:43:27 GMT 2006
Hey, I use the exact same samba version as you... I'm waiting for the 3.0.23b or higher.... but anyway..
In addition to net groupmap commands, you'll need to look at net rpc rights commands for any other-than-admin rights.
It seems samba (and someone correct me if I'm wrong) does the windows compatible thing that RID 512 is the admin group.. so use net groupmap add to associate the 512 RID to some unix-group. 513 is Domain Users, 514 is Domain Guests, and 515 is Domain Computers.
And then for basic rights, check these out:
for instance, this will list the rights that are supported:
[root at johnslinux ~ ] > net rpc -U root -S pdc rights list
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
Then, to grant rights to a user (or a group):
net rpc -U root -S pdc rights grant "DOMAIN/USER_OR_GROUP" SeTakeOwnershipPrivilege ...
Then to revoke, use revoke in place of grant.
Hope this helps.
From: samba-bounces+jmason=lim.com at lists.samba.org on behalf of Chris
Sent: Fri 8/4/2006 1:24 PM
To: samba at lists.samba.org
Subject: [Samba] domain group mapping in 3.0.23a issues
How does one create all of the builtin groups for this release?
When using tdbsam with previous releases one would automatically get
such groups as:
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1832519723-2688400599-3493754984-512) ->
Domain Guests (S-1-5-21-1832519723-2688400599-3493754984-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> prtadmin
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1832519723-2688400599-3493754984-513) -> agent
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
I can manually map groups such as:
Domain Admins (S-1-5-21-1043961623-2377510293-736199847-1001) -> domadm
Domain Guests (S-1-5-21-1043961623-2377510293-736199847-1003) -> nobody
Domain Users (S-1-5-21-1043961623-2377510293-736199847-1002) -> users
Print Operators (S-1-5-21-1043961623-2377510293-736199847-1004) ->
But for some reason members of the domadm group are not receiving admin
priviledges when logging on.
Is the existence "-1" groups necessary?
If so how does one create them?
If not, why might members of the domadm group (as in the second example)
not have admin priveleges when logging onto the domain?
To unsubscribe from this list go to the following URL and read the
More information about the samba