R: R: [Samba] duplicate group in NET GROUPMAP LIST
Gianluca Culot
gianlucaculot at dmsware.com
Wed May 2 15:21:27 GMT 2007
> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di Gianluca Culot
> Inviato: mercoledì 2 maggio 2007 15.09
> A: samba at lists.samba.org
> Oggetto: R: R: [Samba] duplicate group in NET GROUPMAP LIST
>
>
>
>
> > -----Messaggio originale-----
> > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > conto di John H Terpstra
> > Inviato: mercoledì 2 maggio 2007 14.56
> > A: samba at lists.samba.org
> > Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
> >
> >
> > On Wednesday 02 May 2007 07:40, Gianluca Culot wrote:
> > > ...
> > > > > the strange fact is the Domain Users appear to have a TWO sids
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> > > > >
> > > > > The first appear to be correctly mapped to the local users group
> > > > > the latter has no mapping (-1)
> > > > >
> > > > > that's to me appeares really odd....
> > > > >
> > > > > Can somebody explain me this old fact ?
> > > > >
> > > > > My actual Samba server (with smtp, pop3, wibind, sshd,
> > apache21) works
> > > > > perefctly and every user can authenticate correctly on every
> > > >
> > > > service with
> > > >
> > > > > his/her own AD domain user and password
> > > > >
> > > > > Any Hint?
> > > > > PLEASE !?!
> > > >
> > > > Execute
> > > > net groupmap cleanup
> > > >
> > > > then reset your mappings.
> > > >
> > > > - John T.
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > > Looks loke
> > > net groupmap cleanup
> > > has no effect on my system
> > >
> > > here is the copy of action from my terminal
> > >
> > > mail# /home > net groupmap delete ntgroup="domain users"
> > > Sucessfully removed domain users from the mapping db
> > >
> > > mail# /home > net groupmap list
> > > System Operators (S-1-5-32-549) -> -1
> > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > Replicators (S-1-5-32-552) -> -1
> > > Guests (S-1-5-32-546) -> -1
> > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > -> nobody
> > > Power Users (S-1-5-32-547) -> -1
> > > Print Operators (S-1-5-32-550) -> -1
> > > Administrators (S-1-5-32-544) -> -1
> > > Account Operators (S-1-5-32-548) -> -1
> > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> > > Backup Operators (S-1-5-32-551) -> -1
> > > Users (S-1-5-32-545) -> -1
> > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > >
> > > mail# /home > net groupmap cleanup
> > > Group Domain Guests is not mapped
> > > Group Domain Users is not mapped
> > > Group Domain Admins is not mapped
> > >
> > > mail# /home > net groupmap add ntgroup="Domain Users"
> unixgroup="users"
> > > type=b
> > > No rid or sid specified, choosing algorithmic mapping
> > > Successfully added group Domain Users to the mapping db
> > >
> > > mail# /home > net groupmap list
> > > System Operators (S-1-5-32-549) -> -1
> > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > Replicators (S-1-5-32-552) -> -1
> > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > > Guests (S-1-5-32-546) -> -1
> > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > -> nobody
> > > Power Users (S-1-5-32-547) -> -1
> > > Print Operators (S-1-5-32-550) -> -1
> > > Administrators (S-1-5-32-544) -> -1
> > > Account Operators (S-1-5-32-548) -> -1
> > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel
> > > Backup Operators (S-1-5-32-551) -> -1
> > > Users (S-1-5-32-545) -> -1
> > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > mail# /home >
> > >
> > > Maybe Domain Users is NOT to be mapped ?
> > > is of any use mapping Domain Users and Users ? I would say YES
> > as I want to
> > > set permissions based on AD groups
> >
> > What version of Samba do you have?
> >
> > For now, stop Samba, remove the group_mapping,tdb file, then remap your
> > groups. In the long run suggest you update to the latest release.
> >
> > - John T.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
>
> Sorry... I forgot
>
> I'm running Samba 3.0.14a
>
> mail# /home > pkg_info | grep samba
> samba-3.0.14a_1,1 A free SMB and CIFS client and server for UNIX
>
> here is the smb.conf
> [global]
>
> workgroup = dmsware
> netbios name = mail
> #os level = 20 # we will never be master or slave browser
> as
> we are on a firewalled net
> preferred master = no
> server string = mail.dmsware.it Samba Shares
>
> realm = dmsware.it
> security = ADS
> password server = orion.dmsware.it
>
> winbind cache time = 3600
> winbind use default domain = Yes
> winbind nested groups = Yes
> # -antares- winbind enum users = Yes
> # -antares- winbind enum groups = Yes
>
> allow trusted domains = Yes
> #idmap domains = DMSWARE
> idmap config DMSWARE:backend = rid
> idmap config DMSWARE:base_rid = 1000
> idmap config DMSWARE:range = 10000 - 49999
>
> #idmap backend = idmap_rid:DMSWARE=1000-20000
>
> idmap gid = 10000-49999
> idmap uid = 10000-49999
> # -antares- winbind uid = 10000-20000
> # -antares- winbind gid = 10000-20000
>
> template homedir = /home/%U
> template shell = /bin/sh
> # -antares- template primary group = "Domain Users"
> syslog only = Yes
> # -antares- log file = /var/log/samba/log.%m
>
> encrypt passwords = yes
>
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/pw groupdel %g
> add user script = /usr/sbin/pw useradd %u
> delete user script = /usr/sbin/pw userdel %u
>
>
> My current configuration is
>
> FreeBsd 6
> Samba 3.0.14a
> Dovecot 1.0.0
> postfix 2.3.5
> cyrus-sasl 2.1.22 with saslAuth
> openssl 0.9.7i stable
>
> currently the system is serving as
> authenticated SMTP/pop3
> Webmail
> File Server (samba is both used for authentication and file sharing) for
> file-retrivial from client ftp uploads
>
> I'm not again patching... but as everything works fine... and the
> system is
> critical...
>
> Thanks for your time
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
After some analisys
look like Samba is not going to resolve / map groups from SID 512 to 999
manual mapping (net groupmap add) causes a sort duplication
I mean
Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
is not mapped
but if I issue
net groupmap add ntgroup="Domain Users" unixgroup="users" type=d
this results in
net groupmap list
Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
looks like Samba created another Domain Users group in AD.
Yet... no other group is created
and trying to resolve the given SID results in error
wbinfo -S S-1-5-21-531635747-2076120898-3807014553-2801
Could not convert sid S-1-5-21-531635747-2076120898-3807014553-2801 to uid
Am I missing something... ???
More information about the samba
mailing list