[Samba] unable to map windows to unix groups

jcdole at free.fr jcdole at free.fr
Sun Aug 10 21:21:28 GMT 2008 

As I said, I did a fresh install of opensuse 10.3, samba, ldap.

During the process, I filled the ldap database directly with an ldif file built
using smbldap tools.

(one item in that file -->

dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
sambaGroupType: 2
displayName: Domain Admins
description: Netbios Domain Administrators
#sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
#description: Netbios Domain Administrators
 )

So you mean by doing this it is not necessary to map the native existing unix
group "ntadmin" (gid 71) with "Domain Admins" ?
(ntadmin appear in /etc/group and "Domain Admins" not)

Reading the samba documentation was not very clear for me.

jcdole


Selon Douglas VanLeuven <roamdad at sonic.net>:
>
> It looks like you already have an existing unix group called "Domain
> Admins" being pulled in from ldap.  When that is true, there is no need
> for groupmap and indeed it would appear it is illegal to map a windows
> group that matches an existing unix group to another unix group.
>
> Doug
>
>
> jcdole at free.fr wrote:
> > Hello.
> >
> > After fresh install.
> >
> > Samba and ldap seems to run normally ( I can join win2k workstation to
> linux
> > samba pdc ).
> >
> > Using yast I create a system group named domadmin
> >
> > But I am unable to map "Domain Admins" to domadmin
> > I am unable to map "Domain Admins" to existing ntadmin group
> >
> > I am unable to mofify mapping "Domain Admins" to domadmin group
> >
> > Thank you for helping.
> >
> > LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
> > rid=512 type=d
> > adding entry for group Domain Admins failed!
> > LINUX-SRV: #
> >
> > LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
> rid=512
> > type=d
> > adding entry for group Domain Admins failed!
> > LINUX-SRV: #
> >
> > LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
> > Can't map to an unknown group type.
> > LINUX-SRV: #
> >
> > LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
> unixgroup=domadmin
> > type=d
> > Could not update group database
> > LINUX-SRV: #
> >
> > LINUX-SRV:~ net groupmap list
> > request done: ld 0x555555c881e0 msgid 1
> > request done: ld 0x555555c881e0 msgid 2
> > Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
> Admins
> > request done: ld 0x555555c881e0 msgid 3
> > Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
> Users
> > request done: ld 0x555555c881e0 msgid 4
> > Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
> Guests
> > request done: ld 0x555555c881e0 msgid 5
> > Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
> > Computers
> > request done: ld 0x555555c881e0 msgid 6
> > Administrators (S-1-5-32-544) -> Administrators
> > request done: ld 0x555555c881e0 msgid 7
> > Account Operators (S-1-5-32-548) -> Account Operators
> > request done: ld 0x555555c881e0 msgid 8
> > Print Operators (S-1-5-32-550) -> Print Operators
> > request done: ld 0x555555c881e0 msgid 9
> > Backup Operators (S-1-5-32-551) -> Backup Operators
> > request done: ld 0x555555c881e0 msgid 10
> > Replicators (S-1-5-32-552) -> Replicators
> > request done: ld 0x555555c881e0 msgid 11
> > Users (S-1-5-32-545) -> 15000
> > LINUX-SRV: #
> >
> > LINUX-SRV: # getent group
> > at:!:25:
> > ..............
> > ..............
> > domadmin:x:114:
> > root:x:0:
> > ...............
> > ..............
> > users:x:100:
> > +::0:
> > request done: ld 0x618d10 msgid 1
> > Domain Admins:*:512:root,user_admin
> > Domain Users:*:513:
> > Domain Guests:*:514:
> > Domain Computers:*:515:
> > Administrators:*:544:
> > Account Operators:*:548:
> > Print Operators:*:550:
> > Backup Operators:*:551:
> > Replicators:*:552:
> > request done: ld 0x618d10 msgid 2
>
> It looks like you already have an existing unix group called "Domain
> Admins" being pulled in from ldap.  When that is true, there is no need
> for groupmap and indeed it would appear it is illegal to map a windows
> group that matches an existing unix group to another unix group.
>
> Doug
>
>

More information about the samba mailing list