[Samba] Problem with duplicated groups?
Victor Medina
vittico at gmail.com
Wed Dec 13 13:20:20 GMT 2006
Joel,
you should do a vampire before starting samba.
When you start samba for the first time, it will create all built ins
group by default and will map them to "-1". If you do vampire, it will
import all groups predefined in the windows host, that's why you have
duplicated entrees, one corresponding to samba's original init and the
ones you imported from the windows server.
You can try by deleting everything under /var/lib/samba (backup first,
shut down samba servers) and do a vampire, then start samba servers
again. Try a "net groupmap list".
Everything should be OK by now.:-)
Best Regards
Victor.
El mar, 12-12-2006 a las 14:04 -0400, Joel Rosental R. escribió:
> Hello, i have some problems migrating a Windows 2000 PDC to a Debian
> GNU/Linux Samba Server, i want to migrate it to a LDAP backend.. but as
> i'm kind of newbie with ldap and samba migration stuff, i preffered to
> migrate it to tdbsam first and try it for a while, if everything works
> fine, then switch to a ldap backend.
>
> The problem is that Essential Windows Groups are automatically created,
> so with a "fresh" samba installation and the smb.conf i put you above,
> this is the output that gives me a "net groupmap list":
>
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Admins (S-1-5-21-2530314572-2208144836-3936822875-512) -> -1
> Domain Guests (S-1-5-21-2530314572-2208144836-3936822875-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-2530314572-2208144836-3936822875-513) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> Ok, according to official documentation this is "normal" because i'm
> using tdbsam.
>
> After it, i map all those Windows groups to UNIX equivalents via a
> script like this:
>
> #!/bin/bash
>
> groupadd ntadmin
> groupadd domkrbtgt
> groupadd domcomp
> groupadd domcontr
> groupadd certadmin
> groupadd schemadmin
> groupadd enterpadmin
> groupadd poladmin
>
> groupadd foo
> groupadd bar
>
> ### Mapping Windows Groups
>
> net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin type=d
> net groupmap modify ntgroup="Domain Users" unixgroup=users type=d
> net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup type=d
> #net groupmap add ntgroup="Domain KRBTGT" unixgroup=domkrbtgt rid=502
> type=d
> net groupmap add ntgroup="Domain Computers" unixgroup=domcomp rid=515
> type=d
> net groupmap add ntgroup="Domain Controllers" unixgroup=domcontr rid=516
> type=dnet groupmap add ntgroup="Certificate Admins" unixgroup=certadmin
> rid=517 type=d
> net groupmap add ntgroup="Schema Admins" unixgroup=schemadmin rid=518
> type=d
> net groupmap add ntgroup="Enterprise Admins" unixgroup=enterpadmin
> rid=519 type=d
> net groupmap add ntgroup="Policy Admins" unixgroup=poladmin rid=520
> type=d
> net groupmap modify ntgroup="Administrators" unixgroup=root
> net groupmap modify ntgroup="Users" unixgroup=users
> net groupmap modify ntgroup="Guests" unixgroup=nogroup
> net groupmap modify ntgroup="Power Users" unixgroup=root
> net groupmap modify ntgroup="Account Operators" unixgroup=sys
> net groupmap modify ntgroup="System Operators" unixgroup=bin
> net groupmap modify ntgroup="Print Operators" unixgroup=lp
> net groupmap modify ntgroup="Backup Operators" unixgroup=daemon
> net groupmap modify ntgroup="Replicators" unixgroup=sys
>
> ## Here i begin with my own groups
>
> net groupmap add ntgroup="Foo" unixgroup=foo type=d
> net groupmap add ntgroup="Bar" unixgroup=bar type=d
>
> Here it's the result:
>
>
> System Operators (S-1-5-32-549) -> bin
> Sistemas (S-1-5-21-1085031214-299502267-1801674531-11041) -> sistemas
> Replicators (S-1-5-32-552) -> sys
> Guests (S-1-5-32-546) -> nogroup
> Presupuesto (S-1-5-21-1085031214-299502267-1801674531-11035) ->
> presupuesto
> Documanager (S-1-5-21-1085031214-299502267-1801674531-11029) ->
> documanager
> Consulta en Sala (S-1-5-21-1085031214-299502267-1801674531-11023) ->
> consultasala
> Soporte Tecnico (S-1-5-21-1085031214-299502267-1801674531-11043) ->
> soportetec
> SAI (S-1-5-21-1085031214-299502267-1801674531-11037) -> sai
> Domain Users (S-1-5-21-1085031214-299502267-1801674531-513) -> users
> Power Users (S-1-5-32-547) -> root
> Domain Computers (S-1-5-21-1085031214-299502267-1801674531-515) ->
> domcomp
> Domain Admins (S-1-5-21-1085031214-299502267-1801674531-512) -> ntadmin
> Domain Guests (S-1-5-21-1085031214-299502267-1801674531-514) -> nogroup
> Domain Controllers (S-1-5-21-1085031214-299502267-1801674531-516) ->
> domcontr
> Nomina (S-1-5-21-1085031214-299502267-1801674531-11031) -> nomina
> Print Operators (S-1-5-32-550) -> lp
> Administrators (S-1-5-32-544) -> root
> Schema Admins (S-1-5-21-1085031214-299502267-1801674531-518) ->
> schemadmin
> Contabilidad (S-1-5-21-1085031214-299502267-1801674531-11025) ->
> contabilidad
> Certificate Admins (S-1-5-21-1085031214-299502267-1801674531-517) ->
> certadmin
> Enterprise Admins (S-1-5-21-1085031214-299502267-1801674531-519) ->
> enterpadminPolicy Admins (S-1-5-21-1085031214-299502267-1801674531-520)
> -> poladmin
> Account Operators (S-1-5-32-548) -> sys
> Sala Telematica (S-1-5-21-1085031214-299502267-1801674531-11039) ->
> stelematicaAsistencia (S-1-5-21-1085031214-299502267-1801674531-11019)
> -> asistencia
> Postgrado (S-1-5-21-1085031214-299502267-1801674531-11033) -> postgrado
> Backup Operators (S-1-5-32-551) -> daemon
> Users (S-1-5-32-545) -> users
> Control de Estudios (S-1-5-21-1085031214-299502267-1801674531-11027) ->
> ctrlestudios
> Bienes Nacionales (S-1-5-21-1085031214-299502267-1801674531-11021) ->
> bienesn
>
> Ok, until here everything it's apparently everything is worked fine.
>
> I do:
>
> 1) net rpc getsid -S WINPDC -U Administrator
> 2) net rpc join -S WINPDC -U Administrator
>
> Here it's the problem itself: net rpc vampire -S WINPDC -U Administrator
>
> [...] it begins to suck account and group information from windows pdc
>
> and after vampire ends, if i do a net groupmap list here is:
>
> prueba:/etc/samba# net groupmap list
> Server Operators (S-1-5-32-549) -> bin
> Foo (S-1-5-21-1085031214-299502267-1801674531-1428) -> Foo
> Sistemas (S-1-5-21-1085031214-299502267-1801674531-11041) -> sistemas
> Replicator (S-1-5-32-552) -> sys
> Guests (S-1-5-32-546) -> nogroup
> Foo (S-1-5-21-1085031214-299502267-1801674531-11035) -> foo
> Bar (S-1-5-21-1085031214-299502267-1801674531-11029) -> bar
> Domain Users (S-1-5-21-1085031214-299502267-1801674531-513) -> users
> Power Users (S-1-5-32-547) -> root
> Domain Computers (S-1-5-21-1085031214-299502267-1801674531-515) ->
> domcomp
> Domain Admins (S-1-5-21-1085031214-299502267-1801674531-512) -> ntadmin
> Domain Guests (S-1-5-21-1085031214-299502267-1801674531-514) -> nogroup
> Domain Controllers (S-1-5-21-1085031214-299502267-1801674531-516) ->
> domcontr
> Print Operators (S-1-5-32-550) -> lp
> Administrators (S-1-5-32-544) -> root
> Schema Admins (S-1-5-21-1085031214-299502267-1801674531-518) ->
> schemadmin
> Cert Publishers (S-1-5-21-1085031214-299502267-1801674531-517) ->
> certadmin
> Enterprise Admins (S-1-5-21-1085031214-299502267-1801674531-519) ->
> enterpadmin
> Account Operators (S-1-5-32-548) -> sys
> Group Policy Creator Owners
> (S-1-5-21-1085031214-299502267-1801674531-520) -> poladmin
> Backup Operators (S-1-5-32-551) -> daemon
> Users (S-1-5-32-545) -> users
> Bar (S-1-5-21-1085031214-299502267-1801674531-1416) -> Bar
>
> As you see, this time groups Foo and Bar are duplicated, and some times,
> groups like "Domain Admins" or other gets duplicated too!
>
> This is my smb.conf:
>
> [global]
> workgroup = MYDOMAIN
> netbios name = PDCPRUEBA
> server string = Samba Server
> map to guest = Bad User
> passdb backend = tdbsam
> pam password change = Yes
> passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n
> *Password*changed*
> security = user
> passwd program = /usr/bin/passwd %u
> username map = /etc/samba/smbusers
> unix password sync = Yes
> name resolve order = wins lmhosts bcast hosts
> time server = Yes
> printcap cache time = 750
> printcap name = cups
> add user script = /usr/sbin/useradd -m %u
> delete user script = /usr/sbin/userdel -r %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/groupdel %g
> add user to group script = /usr/sbin/usermod -G %g %u
> add machine script = /usr/sbin/useradd -s /bin/false %u
> add share command
> = /usr/share/doc/samba-doc/examples/scripts/perl/modify_samba_config.pl
> delete share command
> = /usr/share/doc/samba-doc/examples/scripts/perl/modify_samba_config.pl
> logon script = scripts\logon.bat
> logon path =
> logon drive = H:
> logon home = \\%L\%U\.9xprofile
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = No
> wins support = yes
> ; remote announce = 192.168.101.255
> ; remote browse sync = 192.168.101.255
> printer admin = @ntadmin, root, administrator
> force unknown acl user = yes
> enable privileges = true
> log level = 4
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> inherit permissions = Yes
> browseable = No
>
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
>
> [users]
> comment = All users
> path = /home
> read only = No
> inherit permissions = Yes
> veto files = /aquota.user/groups/shares/
>
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit permissions = Yes
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printer admin = root, @ntadmins
> guest ok = Yes
> printable = Yes
> browseable = No
>
> [netlogon]
> path = /var/lib/samba/netlogon
> read only = No
> guest ok = Yes
>
>
> Anyone have idea what can i do to avoid this situation?
>
> --
> Atentamente,
>
> Joel Rosental R. - <joel.rosental at iaesp.edu.ve>
> Asesor de Tecnología.
> Dirección de Gestión Tecnológica.
> GPG Key Fingerprint = 9574 CF16 AE60 D57A E514 DC84 F404 1D40
>
More information about the samba
mailing list