[Samba] BUILTIN groups mapping via winbind!!

Kaustubh Chaudhari c_kitu at yahoo.co.in
Thu Nov 1 13:56:02 GMT 2007 

Hi Herman.

This is really a helpful information, but i am not able to understand 
why in built group we cant see a mapping for a normal user, as if we 
look Builtin is also a OU and we have some Builtin users and groups in it.

If i create a OU and groups or users in it than i can see all those but 
just not with Buitin.

Feel free to correct me, if you find i am wrong.

Thanks for your interest in this. 

Regards,
Kaustubh.


herman wrote:
> Kaustubh Chaudhari wrote:
>>      Hi all,
>>
>>    When i create a group in AD and adds users in the same than with
>>    #getent group i can see the group and its members properly.
>>
>>    But if i add a user to BUILTIN say BUILTIN Guests group than i 
>> dont see
>>    its members.
>>    ==
>>     kktest:x:10026:kk,Administrator
>>     BUILTIN+Guests:x:10019:
>>    ==
>>
>>    Here i have added kk user to both kktest and BUILTIN+Guests group. 
>> But i
>>    cant see kk associated with BUILTIN Guests.
>>
>>    I know that BUILTIN groups have pre defined sid by microsoft, and its
>>    mapping is done separately.(I found this in idmap.c)
>>
>>    Is this a normal behavior?
>>
>>    Would appreciate if someone can explain the reasons for this.
>>
>>    Regards,
>>    Kaustubh.
> In general you need to define an Organizational Unit (OU), then define 
> your groups and users inside that OU.  It should then show up with 
> Samba winbind.
>
> Some don'ts:
> Don't rename anything.
> Don't drag and drop anything from one OU to another OU.
> Don't make a user in one OU a member of a group in another OU.
> It is even not a good idea to delete anything.
> If you need to fix a typing mistake, define a new record - don't try 
> to edit the mistake.
> Make frequent backups of ADS.
>
> Some dos:
> Apply security policies to OUs, not to users.
> Run ADS on VMware, so that you can take snapshots as backups.
>
> The reason for the above cautions is that ADS (mostly) work using the 
> GUIDs, while Samba uses the text strings. So you don't want to get in 
> a situation where ADS re-use an old GUID and changes to text strings 
> are applied inconsistently, which confuses winbind, so changing any 
> text string after it has been defined can also screw things up.
>
> 'Hope that helps!
>
> Herman

More information about the samba mailing list