R: R: [Samba] duplicate group in NET GROUPMAP LIST

Gianluca Culot gianlucaculot at dmsware.com
Wed May 2 13:00:12 GMT 2007 

-----Messaggio originale-----
Da: Rune Tønnesen [mailto:rune at tonnesen.org]
Inviato: mercoledì 2 maggio 2007 14.51
A: Gianluca Culot
Cc: samba at lists.samba.org
Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST


Hi Gianluca

Do you have more than one password backend e.g. both smbpasswd and tdbsam or
ldapsam
?

--
Rune Tønnesen
Venlig Hilsen/Best Regards


>> -----Messaggio originale-----
>> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
>> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
>> conto di John H Terpstra
>> Inviato: mercoledì 2 maggio 2007 14.07
>> A: samba at lists.samba.org
>> Oggetto: Re: [Samba] duplicate group in NET GROUPMAP LIST
>>
>>
>> On Wednesday 02 May 2007 04:58, Gianluca Culot wrote:
>> > Hi List
>> >
>> > I'm experiencing a strange behaviour on my samba server
>> >
>> > the group "Domain Users" (and other builtin groups from my AD servers)
>> > appear to have a duplicated SID
>> >
>> > here is the output of
>> >
>> > mail# > net groupmap list
>> > System Operators (S-1-5-32-549) -> -1
>> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
>> > Replicators (S-1-5-32-552) -> -1
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
>> > Guests (S-1-5-32-546) -> -1
>> > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
>> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
>> -> nobody
>> > Power Users (S-1-5-32-547) -> -1
>> > Print Operators (S-1-5-32-550) -> -1
>> > Administrators (S-1-5-32-544) -> -1
>> > Account Operators (S-1-5-32-548) -> -1
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
>> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
>> > Backup Operators (S-1-5-32-551) -> -1
>> > Users (S-1-5-32-545) -> -1
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
>> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
>> >
>> >
>> > and in /var/log/messages
>> > May 2 11:00:05 mail winbindd[23804]: [2007/05/02 11:00:05, 0]
>> > sam/idmap_rid.c:rid_idmap_get_id_from_sid(476)
>> > May 2 11:00:05 mail winbindd[23804]: rid_idmap_get_id_from_sid: no
>> > suitable range available for sid: S-1-5-32-549
>> >
>> > which appear to be a group in BUILTIN group from AD server
>> >
>> > the strange fact is the Domain Users appear to have a TWO sids
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
>> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
>> >
>> > The first appear to be correctly mapped to the local users group
>> > the latter has no mapping (-1)
>> >
>> > that's to me appeares really odd....
>> >
>> > Can somebody explain me this old fact ?
>> >
>> > My actual Samba server (with smtp, pop3, wibind, sshd, apache21) works
>> > perefctly and every user can authenticate correctly on every
>> service with
>> > his/her own AD domain user and password
>> >
>> > Any Hint?
>> > PLEASE !?!
>>
>> Execute
>> net groupmap cleanup
>>
>> then reset your mappings.
>>
>> - John T.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>
> Looks loke
> net groupmap cleanup
> has no effect on my system
>
> here is the copy of action from my terminal
>
> mail# /home > net groupmap delete ntgroup="domain users"
> Sucessfully removed domain users from the mapping db
>
> mail# /home > net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
>
> mail# /home > net groupmap cleanup
> Group Domain Guests is not mapped
> Group Domain Users is not mapped
> Group Domain Admins is not mapped
>
> mail# /home > net groupmap add ntgroup="Domain Users" unixgroup="users"
> type=b
> No rid or sid specified, choosing algorithmic mapping
> Successfully added group Domain Users to the mapping db
>
> mail# /home > net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> Replicators (S-1-5-32-552) -> -1
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> Guests (S-1-5-32-546) -> -1
> BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> mail# /home >
>
> Maybe Domain Users is NOT to be mapped ?
> is of any use mapping Domain Users and Users ? I would say YES as I want
to
> set permissions based on AD groups
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>

NO
Just one password backend at the moment (and I DO not plan to have more than
one domain!)

my current smb.conf is

[global]

        workgroup = dmsware
        netbios name = mail
        #os level = 20          # we will never be master or slave browser
as
 we are on a firewalled net
        preferred master = no
        server string = mail.dmsware.it Samba Shares

        realm = dmsware.it
        security = ADS
        password server = orion.dmsware.it

        winbind cache time = 3600
        winbind use default domain = Yes
        winbind nested groups = Yes
        # -antares- winbind enum users = Yes
        # -antares- winbind enum groups = Yes

        allow trusted domains = Yes
        #idmap domains = DMSWARE
        idmap config DMSWARE:backend      = rid
        idmap config DMSWARE:base_rid     = 1000
        idmap config DMSWARE:range        = 10000 - 49999

        #idmap backend = idmap_rid:DMSWARE=1000-20000

        idmap gid = 10000-49999
        idmap uid = 10000-49999
        # -antares- winbind uid = 10000-20000
        # -antares- winbind gid = 10000-20000

        template homedir = /home/%U
        template shell = /bin/sh
        # -antares- template primary group = "Domain Users"
        syslog only = Yes
        # -antares- log file = /var/log/samba/log.%m

        encrypt passwords = yes

        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/pw groupdel %g
        add user script = /usr/sbin/pw useradd %u
        delete user script = /usr/sbin/pw userdel %u

Thanks

More information about the samba mailing list