R: R: [Samba] duplicate group in NET GROUPMAP LIST

John H Terpstra jht at samba.org
Thu May 3 00:27:51 GMT 2007 

On Wednesday 02 May 2007 10:21, Gianluca Culot wrote:
> > -----Messaggio originale-----
> > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > conto di Gianluca Culot
> > Inviato: mercoledì 2 maggio 2007 15.09
> > A: samba at lists.samba.org
> > Oggetto: R: R: [Samba] duplicate group in NET GROUPMAP LIST
> >
> > > -----Messaggio originale-----
> > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > conto di John H Terpstra
> > > Inviato: mercoledì 2 maggio 2007 14.56
> > > A: samba at lists.samba.org
> > > Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
> > >
> > > On Wednesday 02 May 2007 07:40, Gianluca Culot wrote:
> > > > ...
> > > >
> > > > > > the strange fact is the Domain Users appear to have a TWO sids
> > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> > > > > >
> > > > > > The first appear to be correctly mapped to the local users group
> > > > > > the latter has no mapping (-1)
> > > > > >
> > > > > > that's to me appeares really odd....
> > > > > >
> > > > > > Can somebody explain me this old fact ?
> > > > > >
> > > > > > My actual Samba server (with smtp, pop3, wibind, sshd,
> > >
> > > apache21) works
> > >
> > > > > > perefctly and every user can authenticate correctly on every
> > > > >
> > > > > service with
> > > > >
> > > > > > his/her own AD domain user and password
> > > > > >
> > > > > > Any Hint?
> > > > > > PLEASE !?!
> > > > >
> > > > > Execute
> > > > > 	 net groupmap cleanup
> > > > >
> > > > > then reset your mappings.
> > > > >
> > > > > - John T.
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > > >
> > > > Looks loke
> > > > net groupmap cleanup
> > > > has no effect on my system
> > > >
> > > > here is the copy of action from my terminal
> > > >
> > > > mail# /home > net groupmap delete ntgroup="domain users"
> > > > Sucessfully removed domain users from the mapping db
> > > >
> > > > mail# /home > net groupmap list
> > > > System Operators (S-1-5-32-549) -> -1
> > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > Replicators (S-1-5-32-552) -> -1
> > > > Guests (S-1-5-32-546) -> -1
> > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > >
> > > -> nobody
> > >
> > > > Power Users (S-1-5-32-547) -> -1
> > > > Print Operators (S-1-5-32-550) -> -1
> > > > Administrators (S-1-5-32-544) -> -1
> > > > Account Operators (S-1-5-32-548) -> -1
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > Users (S-1-5-32-545) -> -1
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > >
> > > > mail# /home > net groupmap cleanup
> > > > Group Domain Guests is not mapped
> > > > Group Domain Users is not mapped
> > > > Group Domain Admins is not mapped
> > > >
> > > > mail# /home > net groupmap add ntgroup="Domain Users"
> >
> > unixgroup="users"
> >
> > > > type=b
> > > > No rid or sid specified, choosing algorithmic mapping
> > > > Successfully added group Domain Users to the mapping db
> > > >
> > > > mail# /home > net groupmap list
> > > > System Operators (S-1-5-32-549) -> -1
> > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > Replicators (S-1-5-32-552) -> -1
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > > > Guests (S-1-5-32-546) -> -1
> > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > >
> > > -> nobody
> > >
> > > > Power Users (S-1-5-32-547) -> -1
> > > > Print Operators (S-1-5-32-550) -> -1
> > > > Administrators (S-1-5-32-544) -> -1
> > > > Account Operators (S-1-5-32-548) -> -1
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > Users (S-1-5-32-545) -> -1
> > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > > mail# /home >
> > > >
> > > > Maybe Domain Users is NOT to be mapped ?
> > > > is of any use mapping Domain Users and Users ? I would say YES
> > >
> > > as I want to
> > >
> > > > set permissions based on AD groups
> > >
> > > What version of Samba do you have?
> > >
> > > For now, stop Samba, remove the group_mapping,tdb file, then remap your
> > > groups. In the long run suggest you update to the latest release.
> > >
> > > - John T.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> > Sorry... I forgot
> >
> > I'm running Samba 3.0.14a
> >
> > mail# /home > pkg_info | grep samba
> > samba-3.0.14a_1,1   A free SMB and CIFS client and server for UNIX
> >
> > here is the smb.conf
> > [global]
> >
> >         workgroup = dmsware
> >         netbios name = mail
> >         #os level = 20          # we will never be master or slave
> > browser as
> >  we are on a firewalled net
> >         preferred master = no
> >         server string = mail.dmsware.it Samba Shares
> >
> >         realm = dmsware.it
> >         security = ADS
> >         password server = orion.dmsware.it
> >
> >         winbind cache time = 3600
> >         winbind use default domain = Yes
> >         winbind nested groups = Yes
> >         # -antares- winbind enum users = Yes
> >         # -antares- winbind enum groups = Yes
> >
> >         allow trusted domains = Yes
> >         #idmap domains = DMSWARE
> >         idmap config DMSWARE:backend      = rid
> >         idmap config DMSWARE:base_rid     = 1000
> >         idmap config DMSWARE:range        = 10000 - 49999
> >
> >         #idmap backend = idmap_rid:DMSWARE=1000-20000
> >
> >         idmap gid = 10000-49999
> >         idmap uid = 10000-49999
> >         # -antares- winbind uid = 10000-20000
> >         # -antares- winbind gid = 10000-20000
> >
> >         template homedir = /home/%U
> >         template shell = /bin/sh
> >         # -antares- template primary group = "Domain Users"
> >         syslog only = Yes
> >         # -antares- log file = /var/log/samba/log.%m
> >
> >         encrypt passwords = yes
> >
> >         add group script = /usr/sbin/groupadd %g
> >         delete group script = /usr/sbin/pw groupdel %g
> >         add user script = /usr/sbin/pw useradd %u
> >         delete user script = /usr/sbin/pw userdel %u
> >
> >
> > My current configuration is
> >
> > FreeBsd 	6
> > Samba 	3.0.14a
> > Dovecot 	1.0.0
> > postfix	2.3.5
> > cyrus-sasl	2.1.22	with saslAuth
> > openssl	0.9.7i 	stable
> >
> > currently the system is serving as
> > authenticated SMTP/pop3
> > Webmail
> > File Server (samba is both used for authentication and file sharing) for
> > file-retrivial from client ftp uploads
> >
> > I'm not again patching... but as everything works fine... and the
> > system is
> > critical...
> >
> > Thanks for your time
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> After some analisys
>
> look like Samba is not going to resolve / map groups from SID 512 to 999
> manual mapping (net groupmap add) causes a sort duplication
> I mean
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> is not mapped
>
> but if I issue
> net groupmap add ntgroup="Domain Users" unixgroup="users" type=d
>
> this results in
>
> net groupmap list
> Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
>
> looks like Samba created another Domain Users group in AD.
> Yet... no other group is created
> and trying to resolve the given SID results in error
>
> wbinfo -S S-1-5-21-531635747-2076120898-3807014553-2801
> Could not convert sid S-1-5-21-531635747-2076120898-3807014553-2801 to uid
>
> Am I missing something... ???

Yes - you are!

Do NOT add a second NT Group - ever!  The "net  groupmap modify" was 
introduced in one of the recent releases. Suggest you update if you can.

Delete the group_mapping.tdb again, and this time MODIFY the group that is 
created bu 3.0.14 as follows:

net groupmap modify ntgroup="Domain Users" unixgroup="users"

- John T.

More information about the samba mailing list