[Samba] domain group mapping in 3.0.23a issues

John Mason jmason at lim.com
Fri Aug 4 19:43:27 GMT 2006

Hey, I use the exact same samba version as you... I'm waiting for the 3.0.23b or higher.... but anyway..

In addition to net groupmap commands, you'll need to look at net rpc rights commands for any other-than-admin rights.
It seems samba (and someone correct me if I'm wrong) does the windows compatible thing that RID 512 is the admin group.. so use net groupmap add to associate the 512 RID to some unix-group. 513 is Domain Users, 514 is Domain Guests, and 515 is Domain Computers.

And then for basic rights, check these out:
for instance, this will list the rights that are supported:

[root at johnslinux ~ ] > net rpc -U root -S pdc rights list
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

Then, to grant rights to a user (or a group):
net rpc -U root -S pdc rights grant "DOMAIN/USER_OR_GROUP" SeTakeOwnershipPrivilege ...

Then to revoke, use revoke in place of grant.

Hope this helps.

-----Original Message-----
From: samba-bounces+jmason=lim.com at lists.samba.org on behalf of Chris
Sent: Fri 8/4/2006 1:24 PM
To: samba at lists.samba.org
Subject: [Samba] domain group mapping in 3.0.23a issues
How does one create all of the builtin groups for this release?

When using tdbsam with previous releases one would automatically get 
such groups as:

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1832519723-2688400599-3493754984-512) -> 
Domain Guests (S-1-5-21-1832519723-2688400599-3493754984-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> prtadmin
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1832519723-2688400599-3493754984-513) -> agent
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

I can manually map groups such as:

Domain Admins (S-1-5-21-1043961623-2377510293-736199847-1001) -> domadm
Domain Guests (S-1-5-21-1043961623-2377510293-736199847-1003) -> nobody
Domain Users (S-1-5-21-1043961623-2377510293-736199847-1002) -> users
Print Operators (S-1-5-21-1043961623-2377510293-736199847-1004) -> 

But for some reason members of the domadm group are not receiving admin 
priviledges when logging on.

Is the existence "-1" groups necessary?
If so how does one create them?
If not, why might members of the domadm group (as in the second example) 
not have admin priveleges when logging onto the domain?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list