[Samba] Problem with duplicated groups?

Joel Rosental R. joel.rosental at iaesp.edu.ve
Tue Dec 12 18:04:14 GMT 2006 

Hello, i have some problems migrating a Windows 2000 PDC to a Debian
GNU/Linux Samba Server, i want to migrate it to a LDAP backend.. but as
i'm kind of newbie with ldap and samba migration stuff, i preffered to
migrate it to tdbsam first and try it for a while, if everything works
fine, then switch to a ldap backend.

The problem is that Essential Windows Groups are automatically created,
so with a "fresh" samba installation and the smb.conf i put you above,
this is the output that gives me a "net groupmap list":

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-2530314572-2208144836-3936822875-512) -> -1
Domain Guests (S-1-5-21-2530314572-2208144836-3936822875-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-2530314572-2208144836-3936822875-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Ok, according to official documentation this is "normal" because i'm
using tdbsam.

After it, i map all those Windows groups to UNIX equivalents via a
script like this:

#!/bin/bash

groupadd ntadmin
groupadd domkrbtgt
groupadd domcomp
groupadd domcontr
groupadd certadmin
groupadd schemadmin
groupadd enterpadmin
groupadd poladmin

groupadd foo
groupadd bar

### Mapping Windows Groups

net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin  type=d
net groupmap modify ntgroup="Domain Users" unixgroup=users type=d
net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup type=d
#net groupmap add ntgroup="Domain KRBTGT" unixgroup=domkrbtgt rid=502
type=d
net groupmap add ntgroup="Domain Computers" unixgroup=domcomp rid=515
type=d
net groupmap add ntgroup="Domain Controllers" unixgroup=domcontr rid=516
type=dnet groupmap add ntgroup="Certificate Admins" unixgroup=certadmin
rid=517 type=d
net groupmap add ntgroup="Schema Admins" unixgroup=schemadmin rid=518
type=d
net groupmap add ntgroup="Enterprise Admins" unixgroup=enterpadmin
rid=519 type=d
net groupmap add ntgroup="Policy Admins" unixgroup=poladmin rid=520
type=d
net groupmap modify ntgroup="Administrators" unixgroup=root
net groupmap modify ntgroup="Users" unixgroup=users
net groupmap modify ntgroup="Guests" unixgroup=nogroup
net groupmap modify ntgroup="Power Users" unixgroup=root
net groupmap modify ntgroup="Account Operators" unixgroup=sys
net groupmap modify ntgroup="System Operators" unixgroup=bin
net groupmap modify ntgroup="Print Operators" unixgroup=lp
net groupmap modify ntgroup="Backup Operators" unixgroup=daemon
net groupmap modify ntgroup="Replicators" unixgroup=sys

## Here i begin with my own groups

net groupmap add ntgroup="Foo" unixgroup=foo type=d
net groupmap add ntgroup="Bar" unixgroup=bar type=d

Here it's the result:


System Operators (S-1-5-32-549) -> bin
Sistemas (S-1-5-21-1085031214-299502267-1801674531-11041) -> sistemas
Replicators (S-1-5-32-552) -> sys
Guests (S-1-5-32-546) -> nogroup
Presupuesto (S-1-5-21-1085031214-299502267-1801674531-11035) ->
presupuesto
Documanager (S-1-5-21-1085031214-299502267-1801674531-11029) ->
documanager
Consulta en Sala (S-1-5-21-1085031214-299502267-1801674531-11023) ->
consultasala
Soporte Tecnico (S-1-5-21-1085031214-299502267-1801674531-11043) ->
soportetec
SAI (S-1-5-21-1085031214-299502267-1801674531-11037) -> sai
Domain Users (S-1-5-21-1085031214-299502267-1801674531-513) -> users
Power Users (S-1-5-32-547) -> root
Domain Computers (S-1-5-21-1085031214-299502267-1801674531-515) ->
domcomp
Domain Admins (S-1-5-21-1085031214-299502267-1801674531-512) -> ntadmin
Domain Guests (S-1-5-21-1085031214-299502267-1801674531-514) -> nogroup
Domain Controllers (S-1-5-21-1085031214-299502267-1801674531-516) ->
domcontr
Nomina (S-1-5-21-1085031214-299502267-1801674531-11031) -> nomina
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> root
Schema Admins (S-1-5-21-1085031214-299502267-1801674531-518) ->
schemadmin
Contabilidad (S-1-5-21-1085031214-299502267-1801674531-11025) ->
contabilidad
Certificate Admins (S-1-5-21-1085031214-299502267-1801674531-517) ->
certadmin
Enterprise Admins (S-1-5-21-1085031214-299502267-1801674531-519) ->
enterpadminPolicy Admins (S-1-5-21-1085031214-299502267-1801674531-520)
-> poladmin
Account Operators (S-1-5-32-548) -> sys
Sala Telematica (S-1-5-21-1085031214-299502267-1801674531-11039) ->
stelematicaAsistencia (S-1-5-21-1085031214-299502267-1801674531-11019)
-> asistencia
Postgrado (S-1-5-21-1085031214-299502267-1801674531-11033) -> postgrado
Backup Operators (S-1-5-32-551) -> daemon
Users (S-1-5-32-545) -> users
Control de Estudios (S-1-5-21-1085031214-299502267-1801674531-11027) ->
ctrlestudios
Bienes Nacionales (S-1-5-21-1085031214-299502267-1801674531-11021) ->
bienesn

Ok, until here everything it's apparently everything is worked fine.

I do: 

1)	net rpc getsid -S WINPDC -U Administrator
2)	net rpc join -S WINPDC -U Administrator

Here it's the problem itself: net rpc vampire -S WINPDC -U Administrator

[...] it begins to suck account and group information from windows pdc

and after vampire ends, if i do a net groupmap list here is:

prueba:/etc/samba# net groupmap list
Server Operators (S-1-5-32-549) -> bin
Foo (S-1-5-21-1085031214-299502267-1801674531-1428) -> Foo
Sistemas (S-1-5-21-1085031214-299502267-1801674531-11041) -> sistemas
Replicator (S-1-5-32-552) -> sys
Guests (S-1-5-32-546) -> nogroup
Foo (S-1-5-21-1085031214-299502267-1801674531-11035) -> foo
Bar (S-1-5-21-1085031214-299502267-1801674531-11029) -> bar
Domain Users (S-1-5-21-1085031214-299502267-1801674531-513) -> users
Power Users (S-1-5-32-547) -> root
Domain Computers (S-1-5-21-1085031214-299502267-1801674531-515) ->
domcomp
Domain Admins (S-1-5-21-1085031214-299502267-1801674531-512) -> ntadmin
Domain Guests (S-1-5-21-1085031214-299502267-1801674531-514) -> nogroup
Domain Controllers (S-1-5-21-1085031214-299502267-1801674531-516) ->
domcontr
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> root
Schema Admins (S-1-5-21-1085031214-299502267-1801674531-518) ->
schemadmin
Cert Publishers (S-1-5-21-1085031214-299502267-1801674531-517) ->
certadmin
Enterprise Admins (S-1-5-21-1085031214-299502267-1801674531-519) ->
enterpadmin
Account Operators (S-1-5-32-548) -> sys
Group Policy Creator Owners
(S-1-5-21-1085031214-299502267-1801674531-520) -> poladmin
Backup Operators (S-1-5-32-551) -> daemon
Users (S-1-5-32-545) -> users
Bar (S-1-5-21-1085031214-299502267-1801674531-1416) -> Bar

As you see, this time groups Foo and Bar are duplicated, and some times,
groups like "Domain Admins" or other gets duplicated too!

This is my smb.conf:

[global]
        workgroup = MYDOMAIN
        netbios name = PDCPRUEBA
        server string = Samba Server
        map to guest = Bad User
        passdb backend = tdbsam
        pam password change = Yes
        passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n
*Password*changed*
        security = user
        passwd program = /usr/bin/passwd %u
        username map = /etc/samba/smbusers
        unix password sync = Yes
        name resolve order = wins lmhosts bcast hosts
        time server = Yes
        printcap cache time = 750
        printcap name = cups
        add user script = /usr/sbin/useradd -m %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groupdel %g
        add user to group script = /usr/sbin/usermod -G %g %u
        add machine script = /usr/sbin/useradd -s /bin/false %u
        add share command
= /usr/share/doc/samba-doc/examples/scripts/perl/modify_samba_config.pl
        delete share command
= /usr/share/doc/samba-doc/examples/scripts/perl/modify_samba_config.pl
        logon script = scripts\logon.bat
        logon path =
        logon drive = H:
        logon home = \\%L\%U\.9xprofile
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = No
        wins support = yes
;       remote announce = 192.168.101.255
;       remote browse sync = 192.168.101.255
        printer admin = @ntadmin, root, administrator
 force unknown acl user = yes
        enable privileges = true
        log level = 4
[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        inherit permissions = Yes
        browseable = No

[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes

[users]
        comment = All users
        path = /home
        read only = No
        inherit permissions = Yes
        veto files = /aquota.user/groups/shares/

[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit permissions = Yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        printer admin = root, @ntadmins
        guest ok = Yes
        printable = Yes
        browseable = No

[netlogon]
        path = /var/lib/samba/netlogon
        read only = No
        guest ok = Yes


Anyone have idea what can i do to avoid this situation?

-- 
Atentamente,

Joel Rosental R.        -       <joel.rosental at iaesp.edu.ve>
Asesor de Tecnología.
Dirección de Gestión Tecnológica.
GPG Key Fingerprint = 9574 CF16 AE60 D57A E514 DC84 F404 1D40

More information about the samba mailing list