[Samba] unable to map windows to unix groups

Douglas VanLeuven roamdad at sonic.net
Sat Aug 9 20:07:44 GMT 2008 

jcdole at free.fr wrote:
> Hello.
> 
> After fresh install.
> 
> Samba and ldap seems to run normally ( I can join win2k workstation to linux
> samba pdc ).
> 
> Using yast I create a system group named domadmin
> 
> But I am unable to map "Domain Admins" to domadmin
> I am unable to map "Domain Admins" to existing ntadmin group
> 
> I am unable to mofify mapping "Domain Admins" to domadmin group
> 
> Thank you for helping.
> 
> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
> rid=512 type=d
> adding entry for group Domain Admins failed!
> LINUX-SRV: #
> 
> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512
> type=d
> adding entry for group Domain Admins failed!
> LINUX-SRV: #
> 
> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
> Can't map to an unknown group type.
> LINUX-SRV: #
> 
> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin 
> type=d
> Could not update group database
> LINUX-SRV: #
> 
> LINUX-SRV:~ net groupmap list
> request done: ld 0x555555c881e0 msgid 1
> request done: ld 0x555555c881e0 msgid 2
> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain Admins
> request done: ld 0x555555c881e0 msgid 3
> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users
> request done: ld 0x555555c881e0 msgid 4
> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain Guests
> request done: ld 0x555555c881e0 msgid 5
> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
> Computers
> request done: ld 0x555555c881e0 msgid 6
> Administrators (S-1-5-32-544) -> Administrators
> request done: ld 0x555555c881e0 msgid 7
> Account Operators (S-1-5-32-548) -> Account Operators
> request done: ld 0x555555c881e0 msgid 8
> Print Operators (S-1-5-32-550) -> Print Operators
> request done: ld 0x555555c881e0 msgid 9
> Backup Operators (S-1-5-32-551) -> Backup Operators
> request done: ld 0x555555c881e0 msgid 10
> Replicators (S-1-5-32-552) -> Replicators
> request done: ld 0x555555c881e0 msgid 11
> Users (S-1-5-32-545) -> 15000
> LINUX-SRV: #
> 
> LINUX-SRV: # getent group
> at:!:25:
> ..............
> ..............
> domadmin:x:114:
> root:x:0:
> ...............
> ..............
> users:x:100:
> +::0:
> request done: ld 0x618d10 msgid 1
> Domain Admins:*:512:root,user_admin
> Domain Users:*:513:
> Domain Guests:*:514:
> Domain Computers:*:515:
> Administrators:*:544:
> Account Operators:*:548:
> Print Operators:*:550:
> Backup Operators:*:551:
> Replicators:*:552:
> request done: ld 0x618d10 msgid 2

It looks like you already have an existing unix group called "Domain 
Admins" being pulled in from ldap.  When that is true, there is no need 
for groupmap and indeed it would appear it is illegal to map a windows 
group that matches an existing unix group to another unix group.

Doug

More information about the samba mailing list