[Samba] Duplicate group mappings - which ones to delete?

Gary Dale garydale at torfree.net
Mon Feb 26 22:17:54 GMT 2007 

The renaming would have to be done on the Samba server because that is 
where the group name exists - not on the Windows client. Try a low-level 
tool, not an end-user tool like webmin. Something in the net groupmap or 
net group  commands might do it. Sorry I can't give you an exact syntax. :)


Paul Smith wrote:
> Slight problem with renaming the group.  I've just looked in usrmgr and
> it shows only one parts group.  However, if I drill down to the "Select
> Users and Groups" applet from the Security tab of any file properties
> window, I'm shown two parts groups.
>
> If, in usrmgr, I double-click the displayed "parts" group I get what
> looks to be the correct properties.  If I double-click the "users" group
> I'm told:
>
> "The following error occurred accessing the properties of the group
> users:
> The group name could not be found.
> The group properties cannot be edited or viewd at this time."
>
>
> Something that might be helpful is that the "Description" in usrmgr for
> the only parts group it displays is "Domain Unix Group".  This
> description only occurs in one of the "Samba groups" I see listed in
> Webmin.  It's the opposite of what I would have thought, though, as the
> group that is descriptionless is the one with the lower group SID:
> S-1-5-21-3597458131-155160113-1223051555-132073
> S-1-5-21-3597458131-155160113-1223051555-132074  <- this is the one that
> has the description field set.
>
> Usrmgr doesn't give me the option of renaming the groups - the rename
> option is greyed out, and webmin (my admin tool of choice on this
> machine) doesn't allow me to rename the group either.
>
>
>
> -----Original Message-----
> From: samba-bounces+paul=gami.com at lists.samba.org
> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
> Dale
> Sent: Monday, February 26, 2007 2:24 PM
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Duplicate group mappings - which ones to delete?
>
> Yes there is a danger. The groups each have a unique SID. If you look on
>
> an XP workstation, you'll see that local file ACLs use the SID, not the 
> group name. The workstation does a lookup to the Domain Controller to 
> get the name associated with the SID. If you simply delete the group, 
> the lookup will fail and all you'll see is the SID. Moreover, people who
>
> relied on that mapping will find their access is denied.
>
> You can try changing all the affected ACLs first to use the correct 
> SIDs. This may be easier if you rename one of the Windows parts groups 
> first (without changing the SID).
>
> The users group you may be able to deal with directly. Change all the 
> instances on Windows to Users. You may have to do some group browsing to
>
> get the correct one - I don't know if Samba would handle the case change
>
> properly.
>
> As for the groups that are pointing to -1, if it ain't broke, don't fix 
> it. I'm going to assume that Samba puts them there for a reason, even if
>
> I don't know what it is.
>
>
> Paul Smith wrote:
>   
>> I should have added this to my last message:
>>
>> I'd like to end up with this mapping:
>>
>> Domain Admins - ntadmin
>> Domain Users - users
>> Domain Guests - nogroup
>> Sales - sales
>> Accounting - accounting
>> Human Resources - hr
>> Engineering - engineering
>> IT - it
>> Parts - parts
>>
>> I only need one Windows "Parts" group (mapped to the unix parts group)
>> and I don't need a Windows "Users" group at all(no idea how that got
>> created in the first place".
>>
>> Thanks,
>> Paul
>>
>> -----Original Message-----
>> From: samba-bounces+paul=gami.com at lists.samba.org
>> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Paul
>> Smith
>> Sent: Monday, February 26, 2007 1:37 PM
>> To: samba at lists.samba.org
>> Subject: RE: [Samba] Duplicate group mappings - which ones to delete?
>>
>> I'm not using pam-winbind, and all clients are Windows - either XP,
>>     
> 2000
>   
>> or 2003.
>>
>> When I search the domain for groups in Windows I do indeed get two
>> groups called "parts" and the "users" group also.
>>
>> I've double-checked the unix users and they're all in the correct unix
>> groups.  Is there any danger in simply deleting the suspect mappings
>>     
> and
>   
>> recreating them using something like:
>>
>> net groupmap add ntgroup="Parts" unixgroup=parts type=d
>>
>> Thanks,
>> Paul
>>
>> -----Original Message-----
>> From: samba-bounces+paul=gami.com at lists.samba.org
>> [mailto:samba-bounces+paul=gami.com at lists.samba.org] On Behalf Of Gary
>> Dale
>> Sent: Monday, February 26, 2007 12:07 PM
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Duplicate group mappings - which ones to delete?
>>
>> The ones pointing to -1 are not being used. However, there is no point
>>     
>
>   
>> in deleting them. They are standard Windows groups that are not mapped
>>     
>
>   
>> to Unix groups.
>>
>> The two "parts" mappings each have a different SID. They are therefore
>>     
>
>   
>> not duplicates. Possibly you have two different "parts" groups in 
>> Windows somehow. You're going to have to track them down to find out
>>     
> how
>   
>> they are being used. Do you have a Unix group called "parts"? If not, 
>> then the ones that refer to it are wrong.
>>
>> The middle group, which maps "users" to "users" looks suspicious. You 
>> may notice that you already have a "Users" mapping for Windows.
>>
>> However, it may be that you are using pam-winbind to authenticate Unix
>>     
>
>   
>> systems to your domain, in which case the two different "parts" and
>>     
> the 
>   
>> "users" may be related to that.
>>
>> I'm not an expert, but I hope this helps.
>>
>>
>> Paul Smith wrote:
>>   
>>     
>>> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a
>>>     
>>>       
>> PDC
>>   
>>     
>>> for domain ADADOM.  I have a problem with duplicate group mappings
>>>       
> and
>   
>>> need to delete some, however, I don't know which one is being used.
>>>     
>>>       
>> Is
>>   
>>     
>>> there a way I can find out which ones have no users assigned to them?
>>>
>>> Here's the sorted output of "net groupmap list".  The last three are
>>>     
>>>       
>> the
>>   
>>     
>>> issue.  I only need one "parts" mapping and I'm pretty sure I don't
>>>     
>>>       
>> need
>>   
>>     
>>> the "users" mapping:
>>>
>>> phoenix:~# net groupmap list
>>> Backup Operators (S-1-5-32-551) -> -1
>>> Users (S-1-5-32-545) -> -1
>>> System Operators (S-1-5-32-549) -> -1
>>> Replicators (S-1-5-32-552) -> -1
>>> Guests (S-1-5-32-546) -> -1
>>> Power Users (S-1-5-32-547) -> -1
>>> Print Operators (S-1-5-32-550) -> -1
>>> Administrators (S-1-5-32-544) -> -1
>>> Account Operators (S-1-5-32-548) -> -1
>>> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->
>>>     
>>>       
>> ntadmin
>>   
>>     
>>> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->
>>>     
>>>       
>> nogroup
>>   
>>     
>>> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users
>>> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) ->
>>> accounting
>>> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales
>>> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->
>>>     
>>>       
>> hr
>>   
>>     
>>> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it
>>> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) ->
>>> engineering
>>> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts
>>> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users
>>> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts
>>>
>>> Thanks,
>>> Paul
>>>   
>>>     
>>>       
>>   
>>     
>
>

More information about the samba mailing list