R: R: R: [Samba] duplicate group in NET GROUPMAP LIST
Gianluca Culot
gianlucaculot at dmsware.com
Sat May 5 16:12:22 GMT 2007
> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di John H Terpstra
> Inviato: giovedì 3 maggio 2007 2.28
> A: samba at lists.samba.org
> Oggetto: Re: R: R: [Samba] duplicate group in NET GROUPMAP LIST
>
>
> On Wednesday 02 May 2007 10:21, Gianluca Culot wrote:
> > > -----Messaggio originale-----
> > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > conto di Gianluca Culot
> > > Inviato: mercoledì 2 maggio 2007 15.09
> > > A: samba at lists.samba.org
> > > Oggetto: R: R: [Samba] duplicate group in NET GROUPMAP LIST
> > >
> > > > -----Messaggio originale-----
> > > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > > conto di John H Terpstra
> > > > Inviato: mercoledì 2 maggio 2007 14.56
> > > > A: samba at lists.samba.org
> > > > Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
> > > >
> > > > On Wednesday 02 May 2007 07:40, Gianluca Culot wrote:
> > > > > ...
> > > > >
> > > > > > > the strange fact is the Domain Users appear to have a TWO sids
> > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801)
> > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513)
> > > > > > >
> > > > > > > The first appear to be correctly mapped to the local
> users group
> > > > > > > the latter has no mapping (-1)
> > > > > > >
> > > > > > > that's to me appeares really odd....
> > > > > > >
> > > > > > > Can somebody explain me this old fact ?
> > > > > > >
> > > > > > > My actual Samba server (with smtp, pop3, wibind, sshd,
> > > >
> > > > apache21) works
> > > >
> > > > > > > perefctly and every user can authenticate correctly on every
> > > > > >
> > > > > > service with
> > > > > >
> > > > > > > his/her own AD domain user and password
> > > > > > >
> > > > > > > Any Hint?
> > > > > > > PLEASE !?!
> > > > > >
> > > > > > Execute
> > > > > > net groupmap cleanup
> > > > > >
> > > > > > then reset your mappings.
> > > > > >
> > > > > > - John T.
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL
> and read the
> > > > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > > > Looks loke
> > > > > net groupmap cleanup
> > > > > has no effect on my system
> > > > >
> > > > > here is the copy of action from my terminal
> > > > >
> > > > > mail# /home > net groupmap delete ntgroup="domain users"
> > > > > Sucessfully removed domain users from the mapping db
> > > > >
> > > > > mail# /home > net groupmap list
> > > > > System Operators (S-1-5-32-549) -> -1
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > > Replicators (S-1-5-32-552) -> -1
> > > > > Guests (S-1-5-32-546) -> -1
> > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > > >
> > > > -> nobody
> > > >
> > > > > Power Users (S-1-5-32-547) -> -1
> > > > > Print Operators (S-1-5-32-550) -> -1
> > > > > Administrators (S-1-5-32-544) -> -1
> > > > > Account Operators (S-1-5-32-548) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > > Users (S-1-5-32-545) -> -1
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > > >
> > > > > mail# /home > net groupmap cleanup
> > > > > Group Domain Guests is not mapped
> > > > > Group Domain Users is not mapped
> > > > > Group Domain Admins is not mapped
> > > > >
> > > > > mail# /home > net groupmap add ntgroup="Domain Users"
> > >
> > > unixgroup="users"
> > >
> > > > > type=b
> > > > > No rid or sid specified, choosing algorithmic mapping
> > > > > Successfully added group Domain Users to the mapping db
> > > > >
> > > > > mail# /home > net groupmap list
> > > > > System Operators (S-1-5-32-549) -> -1
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1
> > > > > Replicators (S-1-5-32-552) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> > > > > Guests (S-1-5-32-546) -> -1
> > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500
> > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069)
> > > >
> > > > -> nobody
> > > >
> > > > > Power Users (S-1-5-32-547) -> -1
> > > > > Print Operators (S-1-5-32-550) -> -1
> > > > > Administrators (S-1-5-32-544) -> -1
> > > > > Account Operators (S-1-5-32-548) -> -1
> > > > > Domain Users
> (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) ->
> > > > > wheel Backup Operators (S-1-5-32-551) -> -1
> > > > > Users (S-1-5-32-545) -> -1
> > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1
> > > > > mail# /home >
> > > > >
> > > > > Maybe Domain Users is NOT to be mapped ?
> > > > > is of any use mapping Domain Users and Users ? I would say YES
> > > >
> > > > as I want to
> > > >
> > > > > set permissions based on AD groups
> > > >
> > > > What version of Samba do you have?
> > > >
> > > > For now, stop Samba, remove the group_mapping,tdb file,
> then remap your
> > > > groups. In the long run suggest you update to the latest release.
> > > >
> > > > - John T.
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > > Sorry... I forgot
> > >
> > > I'm running Samba 3.0.14a
> > >
> > > mail# /home > pkg_info | grep samba
> > > samba-3.0.14a_1,1 A free SMB and CIFS client and server for UNIX
> > >
> > > here is the smb.conf
> > > [global]
> > >
> > > workgroup = dmsware
> > > netbios name = mail
> > > #os level = 20 # we will never be master or slave
> > > browser as
> > > we are on a firewalled net
> > > preferred master = no
> > > server string = mail.dmsware.it Samba Shares
> > >
> > > realm = dmsware.it
> > > security = ADS
> > > password server = orion.dmsware.it
> > >
> > > winbind cache time = 3600
> > > winbind use default domain = Yes
> > > winbind nested groups = Yes
> > > # -antares- winbind enum users = Yes
> > > # -antares- winbind enum groups = Yes
> > >
> > > allow trusted domains = Yes
> > > #idmap domains = DMSWARE
> > > idmap config DMSWARE:backend = rid
> > > idmap config DMSWARE:base_rid = 1000
> > > idmap config DMSWARE:range = 10000 - 49999
> > >
> > > #idmap backend = idmap_rid:DMSWARE=1000-20000
> > >
> > > idmap gid = 10000-49999
> > > idmap uid = 10000-49999
> > > # -antares- winbind uid = 10000-20000
> > > # -antares- winbind gid = 10000-20000
> > >
> > > template homedir = /home/%U
> > > template shell = /bin/sh
> > > # -antares- template primary group = "Domain Users"
> > > syslog only = Yes
> > > # -antares- log file = /var/log/samba/log.%m
> > >
> > > encrypt passwords = yes
> > >
> > > add group script = /usr/sbin/groupadd %g
> > > delete group script = /usr/sbin/pw groupdel %g
> > > add user script = /usr/sbin/pw useradd %u
> > > delete user script = /usr/sbin/pw userdel %u
> > >
> > >
> > > My current configuration is
> > >
> > > FreeBsd 6
> > > Samba 3.0.14a
> > > Dovecot 1.0.0
> > > postfix 2.3.5
> > > cyrus-sasl 2.1.22 with saslAuth
> > > openssl 0.9.7i stable
> > >
> > > currently the system is serving as
> > > authenticated SMTP/pop3
> > > Webmail
> > > File Server (samba is both used for authentication and file
> sharing) for
> > > file-retrivial from client ftp uploads
> > >
> > > I'm not again patching... but as everything works fine... and the
> > > system is
> > > critical...
> > >
> > > Thanks for your time
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
> > After some analisys
> >
> > look like Samba is not going to resolve / map groups from SID 512 to 999
> > manual mapping (net groupmap add) causes a sort duplication
> > I mean
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1
> > is not mapped
> >
> > but if I issue
> > net groupmap add ntgroup="Domain Users" unixgroup="users" type=d
> >
> > this results in
> >
> > net groupmap list
> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users
> >
> > looks like Samba created another Domain Users group in AD.
> > Yet... no other group is created
> > and trying to resolve the given SID results in error
> >
> > wbinfo -S S-1-5-21-531635747-2076120898-3807014553-2801
> > Could not convert sid
> S-1-5-21-531635747-2076120898-3807014553-2801 to uid
> >
> > Am I missing something... ???
>
> Yes - you are!
>
> Do NOT add a second NT Group - ever! The "net groupmap modify" was
> introduced in one of the recent releases. Suggest you update if you can.
>
> Delete the group_mapping.tdb again, and this time MODIFY the
> group that is
> created bu 3.0.14 as follows:
>
> net groupmap modify ntgroup="Domain Users" unixgroup="users"
>
> - John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
I'm running portupgrade... and looks like now Samba 3.0.24.1 resolve domain
groups correctly
no need to run net groupmap modify...
BUT
if I list a directory with file owned by DOmain Users I see IDs AND DO NOT
SEE names of group and user owner
drwxrwxrwx 3 1500 1513 512 Apr 20 18:14 administrator
drwxrwxrwx 3 2149 1513 512 Apr 4 18:06 user1
drwxrwxrwx 3 2119 1513 512 Apr 4 18:07 user2
with Samab 3.0.14d
drwxrwxrwx 3 root wheel 512 Apr 20 18:14 administrator
drwxrwxrwx 3 user1 Domain Users 512 Apr 4 18:06 user1
drwxrwxrwx 3 user2 Domain Users 512 Apr 4 18:07 user2
Samba is started corerctly and I have NO error in any log
Every server authenticates correctly ! ! !
Any Hint ?
More information about the samba
mailing list