[Samba] Duplicate group mappings - which ones to delete?

Paul Smith paul at gami.com
Mon Feb 26 19:37:10 GMT 2007

I'm not using pam-winbind, and all clients are Windows - either XP, 2000
or 2003.

When I search the domain for groups in Windows I do indeed get two
groups called "parts" and the "users" group also.

I've double-checked the unix users and they're all in the correct unix
groups.  Is there any danger in simply deleting the suspect mappings and
recreating them using something like:

net groupmap add ntgroup="Parts" unixgroup=parts type=d


-----Original Message-----
From: samba-bounces+paul=gami.com at lists.samba.org
[mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
Sent: Monday, February 26, 2007 12:07 PM
Cc: samba at lists.samba.org
Subject: Re: [Samba] Duplicate group mappings - which ones to delete?

The ones pointing to -1 are not being used. However, there is no point 
in deleting them. They are standard Windows groups that are not mapped 
to Unix groups.

The two "parts" mappings each have a different SID. They are therefore 
not duplicates. Possibly you have two different "parts" groups in 
Windows somehow. You're going to have to track them down to find out how

they are being used. Do you have a Unix group called "parts"? If not, 
then the ones that refer to it are wrong.

The middle group, which maps "users" to "users" looks suspicious. You 
may notice that you already have a "Users" mapping for Windows.

However, it may be that you are using pam-winbind to authenticate Unix 
systems to your domain, in which case the two different "parts" and the 
"users" may be related to that.

I'm not an expert, but I hope this helps.

Paul Smith wrote:
> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a
> for domain ADADOM.  I have a problem with duplicate group mappings and
> need to delete some, however, I don't know which one is being used.
> there a way I can find out which ones have no users assigned to them?
> Here's the sorted output of "net groupmap list".  The last three are
> issue.  I only need one "parts" mapping and I'm pretty sure I don't
> the "users" mapping:
> phoenix:~# net groupmap list
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->
> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->
> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users
> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) ->
> accounting
> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales
> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->
> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it
> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) ->
> engineering
> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts
> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users
> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts
> Thanks,
> Paul

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list