[Samba] Security = ADS and 3.0.23 Upgrade

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 19 22:04:31 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(added the list back to CC)

Dale Schroeder wrote:

> I've attached the screenshots, but I think my
> confusion was expecting the pdc to display the FQDN
> from its DNS records for the samba system,
> not the hosts file on the samba system.

I will almost guarantee that you have host a
broken /etc/hosts  on you Samba box.  The machine's
hostname should not be listed in the 127.0.0.1 line.
This will also break Krb5 authentication.

Fix this on the Unix box and rejoin the domain.
Should be fine.

>> This is correct behavior.  net groupmap lists local
>> mappings and has nothing to do with domain groups
>> managed by Winbind.
>>
> The reason I questioned this at all is because the
> following is my 'net groupmap list' output on a 3.0.22
> system showing all the standard domain groups listed
> on the pdc:
>
> System Operators (S-1-5-32-549) -> -1
...
> Here is the output on the 3.0.23 system:
>
> Administrators (S-1-5-32-544) -> BUILTIN+administrators
> Users (S-1-5-32-545) -> BUILTIN+users

This is correct output.  A -1 gid entry was an the indication
of an unmapped SID so we just cleaned them out.  The local
Administrators and Users groups is used for authorization
purpose.  For example,

$ net sam listmem Administrators
BUILTIN\Administrators has 3 members
 COLOR\Centeris Admins
 SUSE10\root
 COLOR\Domain Admins

Then we can simplem check internally for membership
in Administrators to do things like manage services
or grant privileges.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEvqxvIR7qMdg1EfYRAlhlAKCnIL1nmZ2T8esuoXjZ11PD69nJPACfSXGY
TxpQfsJaWFhHq6VvVHowCnI=
=514r
-----END PGP SIGNATURE-----


More information about the samba mailing list