[Samba] Checking effective group membership - Linux side

Michael Lueck mlueck at lueckdatasystems.com
Wed Mar 8 19:20:27 GMT 2006

First off, on the Windows side I use "ifmember.exe /list" to check the group membership in affect for the currently logged in domain user, works like a charm.

However, Linux side is another story, specifically the net command.

We have, among others, the following mapping in place:
net groupmap modify ntgroup="Domain Admins"  unixgroup=domadmin

Based on this documentation:
in the second "Note:" box...

You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned to an account. This capability is inherent to the Domain Admins group and is not 
configurable. There are no default rights and privileges, except the ability for a member of the Domain Admins group to assign them. This means that all administrative rights and privileges (other 
than the ability to assign them) must be explicitly assigned, even for the Domain Admins group.

So, after the groupmap command has been run, effectivly anyone in the unixgroup domadmin should be considered "Domain Admins" by Samba commands.

Further, it would be my expectation that the ability to run "net rpc rights grant" has also been extended to members of unixgroup domadmin due the group map.

However, this does not seem to be happening as of recent Samba builds. Running this command

net rpc rights grant mydomain\\myaccount SeMachineAccountPrivilege

does not execute consistently. Notice I do not spec an ID/pw, assumed is the account I logged in to Linux with over SSH (putty). If I go to the extreme (in the case that the command fails) to add root 
as a user via smbpasswd, specify root as the user on that command, THEN the thing works.

In general, I have a feeling like Samba is not totally happy with either looking up groups in /etc/group or does not like the groupmap linkage... just not sure how to debug it. Logging in to Windows 
with the accound in question, "ifmember.exe /list" returns exactly the group membership I would expect to see, never an inconsistency with this.


Furhter, trying to grant rights to a unixgroup name always fails. Granting rights to user accounts works as expected, just not on a consistent basis.

Thus, I get the hint something is not quite 100% when on the Linux side about groups in /etc/group.

aaaahhhh.... I looked at Mr. Terpstra's example a bit further... even though for smb.conf I use "printer admin = @domadmin" (which is the unix name for the group) it seems I use the Samba group name, 
not the unix group name to grant the equiv permissions. oy oy oy!!! And for me, via putty, I had to use double quotes around the group name, single ticks did not succeed. Thus:

net rpc rights grant "mydomain\\Domain Admins" SePrintOperatorPrivilege

Anyway, time for "one more test Samba server" and interested to work out why accounts other than root are sometimes not able to grant rights.

Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

More information about the samba mailing list