R: R: [Samba] duplicate group in NET GROUPMAP LIST

Gianluca Culot gianlucaculot at dmsware.com
Wed May 2 13:09:21 GMT 2007 


> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di John H Terpstra
> Inviato: mercoledì 2 maggio 2007 14.56
> A: samba at lists.samba.org
> Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
>
>
> On Wednesday 02 May 2007 07:40, Gianluca Culot wrote:
> > ...
> > > > the strange fact is the Domain Users appear to have a TWO sids
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> > > >
> > > > The first appear to be correctly mapped to the local users group
> > > > the latter has no mapping (-1)
> > > >
> > > > that's to me appeares really odd....
> > > >
> > > > Can somebody explain me this old fact ?
> > > >
> > > > My actual Samba server (with smtp, pop3, wibind, sshd,
> apache21) works
> > > > perefctly and every user can authenticate correctly on every
> > >
> > > service with
> > >
> > > > his/her own AD domain user and password
> > > >
> > > > Any Hint?
> > > > PLEASE !?!
> > >
> > > Execute
> > > 	 net groupmap cleanup
> > >
> > > then reset your mappings.
> > >
> > > - John T.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> > Looks loke
> > net groupmap cleanup
> > has no effect on my system
> >
> > here is the copy of action from my terminal
> >
> > mail# /home > net groupmap delete ntgroup="domain users"
> > Sucessfully removed domain users from the mapping db
> >
> > mail# /home > net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Guests (S-1-5-32-546) -> -1
> > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> -> nobody
> > Power Users (S-1-5-32-547) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> >
> > mail# /home > net groupmap cleanup
> > Group Domain Guests is not mapped
> > Group Domain Users is not mapped
> > Group Domain Admins is not mapped
> >
> > mail# /home > net groupmap add ntgroup="Domain Users" unixgroup="users"
> > type=b
> > No rid or sid specified, choosing algorithmic mapping
> > Successfully added group Domain Users to the mapping db
> >
> > mail# /home > net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > Guests (S-1-5-32-546) -> -1
> > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> -> nobody
> > Power Users (S-1-5-32-547) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > mail# /home >
> >
> > Maybe Domain Users is NOT to be mapped ?
> > is of any use mapping Domain Users and Users ? I would say YES
> as I want to
> > set permissions based on AD groups
>
> What version of Samba do you have?
>
> For now, stop Samba, remove the group_mapping,tdb file, then remap your
> groups. In the long run suggest you update to the latest release.
>
> - John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Sorry... I forgot

I'm running Samba 3.0.14a

mail# /home > pkg_info | grep samba
samba-3.0.14a_1,1   A free SMB and CIFS client and server for UNIX

here is the smb.conf
[global]

        workgroup = dmsware
        netbios name = mail
        #os level = 20          # we will never be master or slave browser
as
 we are on a firewalled net
        preferred master = no
        server string = mail.dmsware.it Samba Shares

        realm = dmsware.it
        security = ADS
        password server = orion.dmsware.it

        winbind cache time = 3600
        winbind use default domain = Yes
        winbind nested groups = Yes
        # -antares- winbind enum users = Yes
        # -antares- winbind enum groups = Yes

        allow trusted domains = Yes
        #idmap domains = DMSWARE
        idmap config DMSWARE:backend      = rid
        idmap config DMSWARE:base_rid     = 1000
        idmap config DMSWARE:range        = 10000 - 49999

        #idmap backend = idmap_rid:DMSWARE=1000-20000

        idmap gid = 10000-49999
        idmap uid = 10000-49999
        # -antares- winbind uid = 10000-20000
        # -antares- winbind gid = 10000-20000

        template homedir = /home/%U
        template shell = /bin/sh
        # -antares- template primary group = "Domain Users"
        syslog only = Yes
        # -antares- log file = /var/log/samba/log.%m

        encrypt passwords = yes

        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/pw groupdel %g
        add user script = /usr/sbin/pw useradd %u
        delete user script = /usr/sbin/pw userdel %u


My current configuration is

FreeBsd 	6
Samba 	3.0.14a
Dovecot 	1.0.0
postfix	2.3.5
cyrus-sasl	2.1.22	with saslAuth
openssl	0.9.7i 	stable

currently the system is serving as
authenticated SMTP/pop3
Webmail
File Server (samba is both used for authentication and file sharing) for
file-retrivial from client ftp uploads

I'm not again patching... but as everything works fine... and the system is
critical...

Thanks for your time

More information about the samba mailing list