[Samba] Duplicate group mappings - which ones to delete?

Gary Dale garydale at torfree.net
Mon Feb 26 20:24:21 GMT 2007 

Yes there is a danger. The groups each have a unique SID. If you look on 
an XP workstation, you'll see that local file ACLs use the SID, not the 
group name. The workstation does a lookup to the Domain Controller to 
get the name associated with the SID. If you simply delete the group, 
the lookup will fail and all you'll see is the SID. Moreover, people who 
relied on that mapping will find their access is denied.

You can try changing all the affected ACLs first to use the correct 
SIDs. This may be easier if you rename one of the Windows parts groups 
first (without changing the SID).

The users group you may be able to deal with directly. Change all the 
instances on Windows to Users. You may have to do some group browsing to 
get the correct one - I don't know if Samba would handle the case change 
properly.

As for the groups that are pointing to -1, if it ain't broke, don't fix 
it. I'm going to assume that Samba puts them there for a reason, even if 
I don't know what it is.


Paul Smith wrote:
> I should have added this to my last message:
>
> I'd like to end up with this mapping:
>
> Domain Admins - ntadmin
> Domain Users - users
> Domain Guests - nogroup
> Sales - sales
> Accounting - accounting
> Human Resources - hr
> Engineering - engineering
> IT - it
> Parts - parts
>
> I only need one Windows "Parts" group (mapped to the unix parts group)
> and I don't need a Windows "Users" group at all(no idea how that got
> created in the first place".
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: samba-bounces+paul=gami.com at lists.samba.org
> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Paul
> Smith
> Sent: Monday, February 26, 2007 1:37 PM
> To: samba at lists.samba.org
> Subject: RE: [Samba] Duplicate group mappings - which ones to delete?
>
> I'm not using pam-winbind, and all clients are Windows - either XP, 2000
> or 2003.
>
> When I search the domain for groups in Windows I do indeed get two
> groups called "parts" and the "users" group also.
>
> I've double-checked the unix users and they're all in the correct unix
> groups.  Is there any danger in simply deleting the suspect mappings and
> recreating them using something like:
>
> net groupmap add ntgroup="Parts" unixgroup=parts type=d
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: samba-bounces+paul=gami.com at lists.samba.org
> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
> Dale
> Sent: Monday, February 26, 2007 12:07 PM
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Duplicate group mappings - which ones to delete?
>
> The ones pointing to -1 are not being used. However, there is no point 
> in deleting them. They are standard Windows groups that are not mapped 
> to Unix groups.
>
> The two "parts" mappings each have a different SID. They are therefore 
> not duplicates. Possibly you have two different "parts" groups in 
> Windows somehow. You're going to have to track them down to find out how
>
> they are being used. Do you have a Unix group called "parts"? If not, 
> then the ones that refer to it are wrong.
>
> The middle group, which maps "users" to "users" looks suspicious. You 
> may notice that you already have a "Users" mapping for Windows.
>
> However, it may be that you are using pam-winbind to authenticate Unix 
> systems to your domain, in which case the two different "parts" and the 
> "users" may be related to that.
>
> I'm not an expert, but I hope this helps.
>
>
> Paul Smith wrote:
>   
>> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a
>>     
> PDC
>   
>> for domain ADADOM.  I have a problem with duplicate group mappings and
>> need to delete some, however, I don't know which one is being used.
>>     
> Is
>   
>> there a way I can find out which ones have no users assigned to them?
>>
>> Here's the sorted output of "net groupmap list".  The last three are
>>     
> the
>   
>> issue.  I only need one "parts" mapping and I'm pretty sure I don't
>>     
> need
>   
>> the "users" mapping:
>>
>> phoenix:~# net groupmap list
>> Backup Operators (S-1-5-32-551) -> -1
>> Users (S-1-5-32-545) -> -1
>> System Operators (S-1-5-32-549) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Administrators (S-1-5-32-544) -> -1
>> Account Operators (S-1-5-32-548) -> -1
>> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->
>>     
> ntadmin
>   
>> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->
>>     
> nogroup
>   
>> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users
>> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) ->
>> accounting
>> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales
>> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->
>>     
> hr
>   
>> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it
>> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) ->
>> engineering
>> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts
>> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users
>> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts
>>
>> Thanks,
>> Paul
>>   
>>     
>
>

More information about the samba mailing list