[Samba] PDC Question For Windows Clients

Barry L. Kline blkline at attglobal.net
Sat Jul 15 07:18:55 GMT 2006

zdennis wrote:

> Domain Admins (S-1-5-21-3040749549-2843134544-1782940832-512) -> Domain Admins
> Domain Users (S-1-5-21-3040749549-2843134544-1782940832-513) -> Domain Users
> Domain Guests (S-1-5-21-3040749549-2843134544-1782940832-514) -> Domain Guests
> Domain Computers (S-1-5-21-3040749549-2843134544-1782940832-515) -> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators


Well, it's fine for Windows to have a group called "Domain Admins" but
you need to have Unix groups where these can be mapped.

For example, my PDC returns the following:

Domain Admins (S-1-5-21-71265413-2685657396-3953940223-512) -> root
Domain Users (S-1-5-21-71265413-2685657396-3953940223-513) -> users
Domain Guests (S-1-5-21-71265413-2685657396-3953940223-514) -> nobody

You didn't mention (or I missed) what you're using for the password
backend (e.g. smbpasswd,  tdbsam or ldapsam) but you need to ensure that
you have Unix groups.  In John Terpstra's excellent "Samba-3 by Example"
he uses a script to do that, with the following commands:

net groupmap modify ntgroup="Domain Admins"      unixgroup=root
net groupmap modify ntgroup="Domain Users"       unixgroup=users
net groupmap modify ntgroup="Domain Guests"      unixgroup=nobody

You may want to ensure that you really do have groups called "Domain
Admins", "Domain Guests" and "Domain Computers", keeping in mind that
spaces in user/group names in Unix isn't recommended.


More information about the samba mailing list