[Samba] Duplicate group mappings - which ones to delete?

Paul Smith paul at gami.com
Mon Feb 26 21:09:31 GMT 2007 

Slight problem with renaming the group.  I've just looked in usrmgr and
it shows only one parts group.  However, if I drill down to the "Select
Users and Groups" applet from the Security tab of any file properties
window, I'm shown two parts groups.

If, in usrmgr, I double-click the displayed "parts" group I get what
looks to be the correct properties.  If I double-click the "users" group
I'm told:

"The following error occurred accessing the properties of the group
users:
The group name could not be found.
The group properties cannot be edited or viewd at this time."


Something that might be helpful is that the "Description" in usrmgr for
the only parts group it displays is "Domain Unix Group".  This
description only occurs in one of the "Samba groups" I see listed in
Webmin.  It's the opposite of what I would have thought, though, as the
group that is descriptionless is the one with the lower group SID:
S-1-5-21-3597458131-155160113-1223051555-132073
S-1-5-21-3597458131-155160113-1223051555-132074  <- this is the one that
has the description field set.

Usrmgr doesn't give me the option of renaming the groups - the rename
option is greyed out, and webmin (my admin tool of choice on this
machine) doesn't allow me to rename the group either.



-----Original Message-----
From: samba-bounces+paul=gami.com at lists.samba.org
[mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
Dale
Sent: Monday, February 26, 2007 2:24 PM
Cc: samba at lists.samba.org
Subject: Re: [Samba] Duplicate group mappings - which ones to delete?

Yes there is a danger. The groups each have a unique SID. If you look on

an XP workstation, you'll see that local file ACLs use the SID, not the 
group name. The workstation does a lookup to the Domain Controller to 
get the name associated with the SID. If you simply delete the group, 
the lookup will fail and all you'll see is the SID. Moreover, people who

relied on that mapping will find their access is denied.

You can try changing all the affected ACLs first to use the correct 
SIDs. This may be easier if you rename one of the Windows parts groups 
first (without changing the SID).

The users group you may be able to deal with directly. Change all the 
instances on Windows to Users. You may have to do some group browsing to

get the correct one - I don't know if Samba would handle the case change

properly.

As for the groups that are pointing to -1, if it ain't broke, don't fix 
it. I'm going to assume that Samba puts them there for a reason, even if

I don't know what it is.


Paul Smith wrote:
> I should have added this to my last message:
>
> I'd like to end up with this mapping:
>
> Domain Admins - ntadmin
> Domain Users - users
> Domain Guests - nogroup
> Sales - sales
> Accounting - accounting
> Human Resources - hr
> Engineering - engineering
> IT - it
> Parts - parts
>
> I only need one Windows "Parts" group (mapped to the unix parts group)
> and I don't need a Windows "Users" group at all(no idea how that got
> created in the first place".
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: samba-bounces+paul=gami.com at lists.samba.org
> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Paul
> Smith
> Sent: Monday, February 26, 2007 1:37 PM
> To: samba at lists.samba.org
> Subject: RE: [Samba] Duplicate group mappings - which ones to delete?
>
> I'm not using pam-winbind, and all clients are Windows - either XP,
2000
> or 2003.
>
> When I search the domain for groups in Windows I do indeed get two
> groups called "parts" and the "users" group also.
>
> I've double-checked the unix users and they're all in the correct unix
> groups.  Is there any danger in simply deleting the suspect mappings
and
> recreating them using something like:
>
> net groupmap add ntgroup="Parts" unixgroup=parts type=d
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: samba-bounces+paul=gami.com at lists.samba.org
> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
> Dale
> Sent: Monday, February 26, 2007 12:07 PM
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Duplicate group mappings - which ones to delete?
>
> The ones pointing to -1 are not being used. However, there is no point

> in deleting them. They are standard Windows groups that are not mapped

> to Unix groups.
>
> The two "parts" mappings each have a different SID. They are therefore

> not duplicates. Possibly you have two different "parts" groups in 
> Windows somehow. You're going to have to track them down to find out
how
>
> they are being used. Do you have a Unix group called "parts"? If not, 
> then the ones that refer to it are wrong.
>
> The middle group, which maps "users" to "users" looks suspicious. You 
> may notice that you already have a "Users" mapping for Windows.
>
> However, it may be that you are using pam-winbind to authenticate Unix

> systems to your domain, in which case the two different "parts" and
the 
> "users" may be related to that.
>
> I'm not an expert, but I hope this helps.
>
>
> Paul Smith wrote:
>   
>> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a
>>     
> PDC
>   
>> for domain ADADOM.  I have a problem with duplicate group mappings
and
>> need to delete some, however, I don't know which one is being used.
>>     
> Is
>   
>> there a way I can find out which ones have no users assigned to them?
>>
>> Here's the sorted output of "net groupmap list".  The last three are
>>     
> the
>   
>> issue.  I only need one "parts" mapping and I'm pretty sure I don't
>>     
> need
>   
>> the "users" mapping:
>>
>> phoenix:~# net groupmap list
>> Backup Operators (S-1-5-32-551) -> -1
>> Users (S-1-5-32-545) -> -1
>> System Operators (S-1-5-32-549) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Administrators (S-1-5-32-544) -> -1
>> Account Operators (S-1-5-32-548) -> -1
>> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->
>>     
> ntadmin
>   
>> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->
>>     
> nogroup
>   
>> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users
>> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) ->
>> accounting
>> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales
>> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->
>>     
> hr
>   
>> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it
>> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) ->
>> engineering
>> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts
>> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users
>> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts
>>
>> Thanks,
>> Paul
>>   
>>     
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list