[Samba] Samba 3.0.22 error with domain accounts

Carlos Rivera-Jones carlos at sinu.com
Mon May 21 17:58:24 GMT 2007

As a suggestion, do not publish your SIDs on the web. If any of us
wanted to, we would be able to hack into your network quite easily.


-----Original Message-----
From: samba-bounces+carlos=sinu.com at lists.samba.org
[mailto:samba-bounces+carlos=sinu.com at lists.samba.org] On Behalf Of
Gaiseric Vandal
Sent: Monday, May 21, 2007 1:59 PM
To: samba at lists.samba.org
Subject: [Samba] Samba 3.0.22 error with domain accounts

I have compiled Samba 3.0.22 on Solaris 10 (sparc.)   It has been 
configured as a PDC with a domain of, say, "SAMBADOMAIN."     It has 
some predefined group mappings for the Administrators and "Domain
Admins" group. These mappings were dropped in later versions of Samba.  
(I have been working with 3.0.24 as well.  Unfortunately it doesn't seem
to play nice with Sun's PC Netlink so I am hoping a older version

# net  groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-3994835435-1155125117-4257552229-513) -> -1 Power
Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1
*Administrators (S-1-5-32-544) -> -1*** Domain Admins
(S-1-5-21-1184431512-2651584230-490432928-512) -> -1 Domain Guests
(S-1-5-21-1184431512-2651584230-490432928-514) -> -1 Account Operators
(S-1-5-32-548) -> -1 Domain Users
(S-1-5-21-1184431512-2651584230-490432928-513) -> -1 *Domain Admins
(S-1-5-21-3994835435-1155125117-4257552229-512) -> -1*** Domain Guests
(S-1-5-21-3994835435-1155125117-4257552229-514) -> -1 Backup Operators
(S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1

There is no unix group with GID "-1" so I am not quite sure if I should
be explicitly changing the group mappings to match real groups.  I do
have a unix group "administrators" defined, which includes the root and
administrator account (this was for version 3.0.24.)

I joined this machine to its own domain:

#  net join SAMBADOMAIN -U root

I can list users from, or add users to, local groups


#net rpc  group ADDMEM "Administrators" root #net rpc  group ADDMEM
"Administrators" administrator

but not with domain groups, whether predefined or not:


# bin/net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512
type=d adding entry for group Domain Admins failed!


#net groupmap add ntgroup="Engineering" unixgroup=engr rid=10300 type=d
Successfully added group Engineering to the mapping db

#/net rpc  group members "engineering" :
[2007/05/18 14:42:08, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine pipe \samr fnum 0x721ereturned
critical error. Error was Call returned zero bytes (EOF)
[2007/05/18 14:42:08, 0] libsmb/clientgen.c:cli_rpc_pipe_close(375)
  cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x721e to
machine  Error was Call returned zero bytes (EOF)

I compiled the software on my linux workstation- but I get the same
errors when running the net command against the solaris samba server.  
THe solaris server is configured as an LDAP client.

So my questions are:
 1 - What is causing the error (and how do I fix it)?
  2 - Do I need to change the group mappings to match real unix group


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list