R: R: R: [Samba] duplicate group in NET GROUPMAP LIST (almost solved)
Gianluca Culot
gianlucaculot at dmsware.com
Fri May 4 08:05:13 GMT 2007
> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di John H Terpstra
> Inviato: giovedì 3 maggio 2007 2.28
> A: samba at lists.samba.org
> Oggetto: Re: R: R: [Samba] duplicate group in NET GROUPMAP LIST
>
>
> On Wednesday 02 May 2007 10:21, Gianluca Culot wrote:
> > > -----Messaggio originale-----
> > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > conto di Gianluca Culot
> > > Inviato: mercoledì 2 maggio 2007 15.09
> > > A: samba at lists.samba.org
> > > Oggetto: R: R: [Samba] duplicate group in NET GROUPMAP LIST
> > >
> > > > -----Messaggio originale-----
> > > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > > conto di John H Terpstra
> > > > Inviato: mercoledì 2 maggio 2007 14.56
> > > > A: samba at lists.samba.org
> > > > Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
> > > >
> > > > On Wednesday 02 May 2007 07:40, Gianluca Culot wrote:
> > > > > ...
> > > > >
> > > > > > > the strange fact is the Domain Users appear to have a TWO sids
> > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> > > > > > >
> > > > > > > The first appear to be correctly mapped to the local
> users group
> > > > > > > the latter has no mapping (-1)
> > > > > > >
> > > > > > > that's to me appeares really odd....
> > > > > > >
> > > > > > > Can somebody explain me this old fact ?
> > > > > > >
> > > > > > > My actual Samba server (with smtp, pop3, wibind, sshd,
> > > >
> > > > apache21) works
> > > >
> > > > > > > perefctly and every user can authenticate correctly on every
> > > > > >
> > > > > > service with
> > > > > >
> > > > > > > his/her own AD domain user and password
> > > > > > >
> > > > > > > Any Hint?
> > > > > > > PLEASE !?!
> > > > > >
> > > > > > Execute
> > > > > > net groupmap cleanup
> > > > > >
> > > > > > then reset your mappings.
> > > > > >
> > > > > > - John T.
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL
> and read the
> > > > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > > > Looks loke
> > > > > net groupmap cleanup
> > > > > has no effect on my system
> > > > >
> > > > > here is the copy of action from my terminal
> > > > >
> > > > > mail# /home > net groupmap delete ntgroup="domain users"
> > > > > Sucessfully removed domain users from the mapping db
> > > > >
> > > > > mail# /home > net groupmap list
> > > > > System Operators (S-1-5-32-549) -> -1
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > > Replicators (S-1-5-32-552) -> -1
> > > > > Guests (S-1-5-32-546) -> -1
> > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > > >
> > > > -> nobody
> > > >
> > > > > Power Users (S-1-5-32-547) -> -1
> > > > > Print Operators (S-1-5-32-550) -> -1
> > > > > Administrators (S-1-5-32-544) -> -1
> > > > > Account Operators (S-1-5-32-548) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > > Users (S-1-5-32-545) -> -1
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > > >
> > > > > mail# /home > net groupmap cleanup
> > > > > Group Domain Guests is not mapped
> > > > > Group Domain Users is not mapped
> > > > > Group Domain Admins is not mapped
> > > > >
> > > > > mail# /home > net groupmap add ntgroup="Domain Users"
> > >
> > > unixgroup="users"
> > >
> > > > > type=b
> > > > > No rid or sid specified, choosing algorithmic mapping
> > > > > Successfully added group Domain Users to the mapping db
> > > > >
> > > > > mail# /home > net groupmap list
> > > > > System Operators (S-1-5-32-549) -> -1
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > > Replicators (S-1-5-32-552) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > > > > Guests (S-1-5-32-546) -> -1
> > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > > >
> > > > -> nobody
> > > >
> > > > > Power Users (S-1-5-32-547) -> -1
> > > > > Print Operators (S-1-5-32-550) -> -1
> > > > > Administrators (S-1-5-32-544) -> -1
> > > > > Account Operators (S-1-5-32-548) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > > Users (S-1-5-32-545) -> -1
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > > > mail# /home >
> > > > >
> > > > > Maybe Domain Users is NOT to be mapped ?
> > > > > is of any use mapping Domain Users and Users ? I would say YES
> > > >
> > > > as I want to
> > > >
> > > > > set permissions based on AD groups
> > > >
> > > > What version of Samba do you have?
> > > >
> > > > For now, stop Samba, remove the group_mapping,tdb file,
> then remap your
> > > > groups. In the long run suggest you update to the latest release.
> > > >
> > > > - John T.
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > > Sorry... I forgot
> > >
> > > I'm running Samba 3.0.14a
> > >
> > > mail# /home > pkg_info | grep samba
> > > samba-3.0.14a_1,1 A free SMB and CIFS client and server for UNIX
> > >
> > > here is the smb.conf
> > > [global]
> > >
> > > workgroup = dmsware
> > > netbios name = mail
> > > #os level = 20 # we will never be master or slave
> > > browser as
> > > we are on a firewalled net
> > > preferred master = no
> > > server string = mail.dmsware.it Samba Shares
> > >
> > > realm = dmsware.it
> > > security = ADS
> > > password server = orion.dmsware.it
> > >
> > > winbind cache time = 3600
> > > winbind use default domain = Yes
> > > winbind nested groups = Yes
> > > # -antares- winbind enum users = Yes
> > > # -antares- winbind enum groups = Yes
> > >
> > > allow trusted domains = Yes
> > > #idmap domains = DMSWARE
> > > idmap config DMSWARE:backend = rid
> > > idmap config DMSWARE:base_rid = 1000
> > > idmap config DMSWARE:range = 10000 - 49999
> > >
> > > #idmap backend = idmap_rid:DMSWARE=1000-20000
> > >
> > > idmap gid = 10000-49999
> > > idmap uid = 10000-49999
> > > # -antares- winbind uid = 10000-20000
> > > # -antares- winbind gid = 10000-20000
> > >
> > > template homedir = /home/%U
> > > template shell = /bin/sh
> > > # -antares- template primary group = "Domain Users"
> > > syslog only = Yes
> > > # -antares- log file = /var/log/samba/log.%m
> > >
> > > encrypt passwords = yes
> > >
> > > add group script = /usr/sbin/groupadd %g
> > > delete group script = /usr/sbin/pw groupdel %g
> > > add user script = /usr/sbin/pw useradd %u
> > > delete user script = /usr/sbin/pw userdel %u
> > >
> > >
> > > My current configuration is
> > >
> > > FreeBsd 6
> > > Samba 3.0.14a
> > > Dovecot 1.0.0
> > > postfix 2.3.5
> > > cyrus-sasl 2.1.22 with saslAuth
> > > openssl 0.9.7i stable
> > >
> > > currently the system is serving as
> > > authenticated SMTP/pop3
> > > Webmail
> > > File Server (samba is both used for authentication and file
> sharing) for
> > > file-retrivial from client ftp uploads
> > >
> > > I'm not again patching... but as everything works fine... and the
> > > system is
> > > critical...
> > >
> > > Thanks for your time
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
> > After some analisys
> >
> > look like Samba is not going to resolve / map groups from SID 512 to 999
> > manual mapping (net groupmap add) causes a sort duplication
> > I mean
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > is not mapped
> >
> > but if I issue
> > net groupmap add ntgroup="Domain Users" unixgroup="users" type=d
> >
> > this results in
> >
> > net groupmap list
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> >
> > looks like Samba created another Domain Users group in AD.
> > Yet... no other group is created
> > and trying to resolve the given SID results in error
> >
> > wbinfo -S S-1-5-21-531635747-2076120898-3807014553-2801
> > Could not convert sid
> S-1-5-21-531635747-2076120898-3807014553-2801 to uid
> >
> > Am I missing something... ???
>
> Yes - you are!
>
> Do NOT add a second NT Group - ever! The "net groupmap modify" was
> introduced in one of the recent releases. Suggest you update if you can.
>
> Delete the group_mapping.tdb again, and this time MODIFY the
> group that is
> created bu 3.0.14 as follows:
>
> net groupmap modify ntgroup="Domain Users" unixgroup="users"
>
> - John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
As I expected upgrading is not so easy as
portupgrade samba
;D
the actual problem should be this
3.0.14 is not able to read correctly BUILTIN groups in AD
every group under 1000 (exadecimal) appears to be misplaced and NOT
imported.
Every group manually created by administrator on AD looks to be imported and
binded to Unix Group
This is why I tried net groupmap ADD
upgrading to Samba 3.0.24.1 (which looks to be the last available port for
FreeBsd) should solve the problem. Yet the Group IDS are somehow reset....
and every user LOOSES access to its own mail folder
and That's bad
I'm still running 3.0.14 until saturday, when I'll try to reinstall anche
upgrade samba correctly, and when I'll reasign all folder groups and owner
permissions.
Thanks for you help
More information about the samba
mailing list