R: [Samba] duplicate group in NET GROUPMAP LIST

Rune Tønnesen rune at tonnesen.org
Wed May 2 12:50:52 GMT 2007 


Hi Gianluca

Do you have more than one password backend e.g. both
smbpasswd and tdbsam or ldapsam
?

-- 
Rune Tønnesen 
Venlig Hilsen/Best Regards 


>> -----Messaggio
originale----- 
>> Da:
samba-bounces+gianlucaculot=dmsware.com at lists.samba.org 
>>
[mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per 
>>
conto di John H Terpstra 
>> Inviato: mercoledì 2 maggio 2007
14.07 
>> A: samba at lists.samba.org 
>> Oggetto: Re: [Samba]
duplicate group in NET GROUPMAP LIST 
>> 
>> 
>> On
Wednesday 02 May 2007 04:58, Gianluca Culot wrote: 
>> > Hi List 
>> > 
>> > I'm experiencing a strange behaviour on my samba
server 
>> > 
>> > the group "Domain Users"
(and other builtin groups from my AD servers) 
>> > appear to have a
duplicated SID 
>> > 
>> > here is the output of 
>> > 
>> > mail# > net groupmap list 
>> >
System Operators (S-1-5-32-549) -> -1 
>> > Domain Guests
(S-1-5-21-531635747-2076120898-3807014553-514) -> -1 
>> >
Replicators (S-1-5-32-552) -> -1 
>> > Domain Users
(S-1-5-21-531635747-2076120898-3807014553-2801) -> users 
>> >
Guests (S-1-5-32-546) -> -1 
>> > BUILTIN
(S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 
>> > Domain
Guests (S-1-5-21-531635747-2076120898-3807014553-132069) 
>> -> nobody

>> > Power Users (S-1-5-32-547) -> -1 
>> > Print
Operators (S-1-5-32-550) -> -1 
>> > Administrators (S-1-5-32-544)
-> -1 
>> > Account Operators (S-1-5-32-548) -> -1 
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) ->
1000 
>> > Domain Admins
(S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel 
>> >
Backup Operators (S-1-5-32-551) -> -1 
>> > Users (S-1-5-32-545)
-> -1 
>> > Domain Users
(S-1-5-21-531635747-2076120898-3807014553-513) -> -1 
>> > Domain
Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 
>> >

>> > 
>> > and in /var/log/messages 
>> >
May 2 11:00:05 mail winbindd[23804]: [2007/05/02 11:00:05, 0] 
>> >
sam/idmap_rid.c:rid_idmap_get_id_from_sid(476) 
>> > May 2 11:00:05
mail winbindd[23804]: rid_idmap_get_id_from_sid: no 
>> > suitable
range available for sid: S-1-5-32-549 
>> > 
>> > which
appear to be a group in BUILTIN group from AD server 
>> > 
>> > the strange fact is the Domain Users appear to have a TWO sids 
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) 
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) 
>> > 
>> > The first appear to be correctly mapped to the
local users group 
>> > the latter has no mapping (-1) 
>>
> 
>> > that's to me appeares really odd.... 
>> >

>> > Can somebody explain me this old fact ? 
>> > 
>> > My actual Samba server (with smtp, pop3, wibind, sshd, apache21)
works 
>> > perefctly and every user can authenticate correctly on
every 
>> service with 
>> > his/her own AD domain user and
password 
>> > 
>> > Any Hint? 
>> >
PLEASE !?! 
>> 
>> Execute 
>> net groupmap cleanup

>> 
>> then reset your mappings. 
>> 
>> - John T. 
>> -- 
>> To unsubscribe from this list
go to the following URL and read the 
>> instructions:
https://lists.samba.org/mailman/listinfo/samba 
>> 
> 
>
Looks loke 
> net groupmap cleanup 
> has no effect on my system 
> 
> here is the copy of action from my terminal 
> 
>
mail# /home > net groupmap delete ntgroup="domain users" 
>
Sucessfully removed domain users from the mapping db 
> 
> mail#
/home > net groupmap list 
> System Operators (S-1-5-32-549) -> -1 
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 
> Replicators (S-1-5-32-552) -> -1 
> Guests (S-1-5-32-546) -> -1

> BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody

> Power Users (S-1-5-32-547) -> -1 
> Print Operators
(S-1-5-32-550) -> -1 
> Administrators (S-1-5-32-544) -> -1 
>
Account Operators (S-1-5-32-548) -> -1 
> Domain Users
(S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 
> Domain Admins
(S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel 
> Backup
Operators (S-1-5-32-551) -> -1 
> Users (S-1-5-32-545) -> -1 
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 
> 
> mail# /home > net groupmap cleanup 
> Group Domain
Guests is not mapped 
> Group Domain Users is not mapped 
> Group
Domain Admins is not mapped 
> 
> mail# /home > net groupmap add
ntgroup="Domain Users" unixgroup="users" 
> type=b 
> No rid or sid specified, choosing algorithmic mapping 
> Successfully
added group Domain Users to the mapping db 
> 
> mail# /home >
net groupmap list 
> System Operators (S-1-5-32-549) -> -1 
>
Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 
>
Replicators (S-1-5-32-552) -> -1 
> Domain Users
(S-1-5-21-531635747-2076120898-3807014553-2801) -> users 
> Guests
(S-1-5-32-546) -> -1 
> BUILTIN
(S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 
> Domain Guests
(S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody 
> Power
Users (S-1-5-32-547) -> -1 
> Print Operators (S-1-5-32-550) -> -1 
> Administrators (S-1-5-32-544) -> -1 
> Account Operators
(S-1-5-32-548) -> -1 
> Domain Users
(S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 
> Domain Admins
(S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel 
> Backup
Operators (S-1-5-32-551) -> -1 
> Users (S-1-5-32-545) -> -1 
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 
> mail# /home > 
> 
> Maybe Domain Users is NOT to be mapped
? 
> is of any use mapping Domain Users and Users ? I would say YES as I
want to 
> set permissions based on AD groups 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read
the 
> instructions: https://lists.samba.org/mailman/listinfo/samba 
>

More information about the samba mailing list