R: [Samba] duplicate group in NET GROUPMAP LIST
Gianluca Culot
gianlucaculot at dmsware.com
Wed May 2 12:40:30 GMT 2007
> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di John H Terpstra
> Inviato: mercoledì 2 maggio 2007 14.07
> A: samba at lists.samba.org
> Oggetto: Re: [Samba] duplicate group in NET GROUPMAP LIST
>
>
> On Wednesday 02 May 2007 04:58, Gianluca Culot wrote:
> > Hi List
> >
> > I'm experiencing a strange behaviour on my samba server
> >
> > the group "Domain Users" (and other builtin groups from my AD servers)
> > appear to have a duplicated SID
> >
> > here is the output of
> >
> > mail# > net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > Guests (S-1-5-32-546) -> -1
> > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> -> nobody
> > Power Users (S-1-5-32-547) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> >
> >
> > and in /var/log/messages
> > May 2 11:00:05 mail winbindd[23804]: [2007/05/02 11:00:05, 0]
> > sam/idmap_rid.c:rid_idmap_get_id_from_sid(476)
> > May 2 11:00:05 mail winbindd[23804]: rid_idmap_get_id_from_sid: no
> > suitable range available for sid: S-1-5-32-549
> >
> > which appear to be a group in BUILTIN group from AD server
> >
> > the strange fact is the Domain Users appear to have a TWO sids
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> >
> > The first appear to be correctly mapped to the local users group
> > the latter has no mapping (-1)
> >
> > that's to me appeares really odd....
> >
> > Can somebody explain me this old fact ?
> >
> > My actual Samba server (with smtp, pop3, wibind, sshd, apache21) works
> > perefctly and every user can authenticate correctly on every
> service with
> > his/her own AD domain user and password
> >
> > Any Hint?
> > PLEASE !?!
>
> Execute
> net groupmap cleanup
>
> then reset your mappings.
>
> - John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
Looks loke
net groupmap cleanup
has no effect on my system
here is the copy of action from my terminal
mail# /home > net groupmap delete ntgroup="domain users"
Sucessfully removed domain users from the mapping db
mail# /home > net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
mail# /home > net groupmap cleanup
Group Domain Guests is not mapped
Group Domain Users is not mapped
Group Domain Admins is not mapped
mail# /home > net groupmap add ntgroup="Domain Users" unixgroup="users"
type=b
No rid or sid specified, choosing algorithmic mapping
Successfully added group Domain Users to the mapping db
mail# /home > net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
Replicators (S-1-5-32-552) -> -1
Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
Guests (S-1-5-32-546) -> -1
BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
mail# /home >
Maybe Domain Users is NOT to be mapped ?
is of any use mapping Domain Users and Users ? I would say YES as I want to
set permissions based on AD groups
More information about the samba
mailing list