[Samba] unable to map windows to unix groups

Douglas VanLeuven roamdad at sonic.net
Mon Aug 11 00:50:55 GMT 2008 

jcdole at free.fr wrote:
> As I said, I did a fresh install of opensuse 10.3, samba, ldap.
> 
> During the process, I filled the ldap database directly with an ldif file built
> using smbldap tools.
> 
> (one item in that file -->
> 
> dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
> sambaGroupType: 2
> displayName: Domain Admins
> description: Netbios Domain Administrators
> #sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
> #description: Netbios Domain Administrators
>  )
> 
> So you mean by doing this it is not necessary to map the native existing unix
> group "ntadmin" (gid 71) with "Domain Admins" ?
> (ntadmin appear in /etc/group and "Domain Admins" not)

When you do getent group you're getting what's in the local /etc/group 
and what's defined in the ldap group membership.  See gidNumber above. 
Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd 
and /etc/group membership so passwd and group uid/gid's can be defined 
system wide and used by any unix machine.

So yes.  Users belonging to group 512 are "Domain Admins".  You need to 
add users to this group when you want them to have related security 
privileges.  You should be able to chgrp 512 filename and have it show 
as "Domain Admins" when you ls the directory.  I haven't used the 
smbldap tools package, but it looks like the most common windows groups 
have already been defined for you.  All you need to do is avoid using 
the ldap passwd & group uid/gids in the local files.  Yast tools will 
probably not allow you to generate duplicates.

And yes, you only need to map groups when the unix name doesn't match 
the windows name and you don't want samba to create the account on the 
fly using whatever idmap backend you pick.  Your idmap backend should 
probably be idmap_ldap and accounts generated then become available 
system wide using the same uid/gid's and network file sharing offers the 
same membership security regardless of client machine access.

This is probably in a FAQ somewhere where the answer would be more 
structured.  I use the following to resolve my issues:
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://us6.samba.org/samba/docs/man/Samba-Guide/

Since samba is evolving almost daily, sometime the Howto syntax has been 
modified in the current manifestation of the command.  Always refer to 
the current command documentation to resolve any discrepancies.

Doug

> 
> Reading the samba documentation was not very clear for me.
> 
> jcdole
> 
> 
> Selon Douglas VanLeuven <roamdad at sonic.net>:
>> It looks like you already have an existing unix group called "Domain
>> Admins" being pulled in from ldap.  When that is true, there is no need
>> for groupmap and indeed it would appear it is illegal to map a windows
>> group that matches an existing unix group to another unix group.
>>
>> Doug
>>
>>
>> jcdole at free.fr wrote:
>>> Hello.
>>>
>>> After fresh install.
>>>
>>> Samba and ldap seems to run normally ( I can join win2k workstation to
>> linux
>>> samba pdc ).
>>>
>>> Using yast I create a system group named domadmin
>>>
>>> But I am unable to map "Domain Admins" to domadmin
>>> I am unable to map "Domain Admins" to existing ntadmin group
>>>
>>> I am unable to mofify mapping "Domain Admins" to domadmin group
>>>
>>> Thank you for helping.
>>>
>>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
>>> rid=512 type=d
>>> adding entry for group Domain Admins failed!
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
>> rid=512
>>> type=d
>>> adding entry for group Domain Admins failed!
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
>>> Can't map to an unknown group type.
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
>> unixgroup=domadmin
>>> type=d
>>> Could not update group database
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV:~ net groupmap list
>>> request done: ld 0x555555c881e0 msgid 1
>>> request done: ld 0x555555c881e0 msgid 2
>>> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
>> Admins
>>> request done: ld 0x555555c881e0 msgid 3
>>> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
>> Users
>>> request done: ld 0x555555c881e0 msgid 4
>>> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
>> Guests
>>> request done: ld 0x555555c881e0 msgid 5
>>> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
>>> Computers
>>> request done: ld 0x555555c881e0 msgid 6
>>> Administrators (S-1-5-32-544) -> Administrators
>>> request done: ld 0x555555c881e0 msgid 7
>>> Account Operators (S-1-5-32-548) -> Account Operators
>>> request done: ld 0x555555c881e0 msgid 8
>>> Print Operators (S-1-5-32-550) -> Print Operators
>>> request done: ld 0x555555c881e0 msgid 9
>>> Backup Operators (S-1-5-32-551) -> Backup Operators
>>> request done: ld 0x555555c881e0 msgid 10
>>> Replicators (S-1-5-32-552) -> Replicators
>>> request done: ld 0x555555c881e0 msgid 11
>>> Users (S-1-5-32-545) -> 15000
>>> LINUX-SRV: #
>>>
>>> LINUX-SRV: # getent group
>>> at:!:25:
>>> ..............
>>> ..............
>>> domadmin:x:114:
>>> root:x:0:
>>> ...............
>>> ..............
>>> users:x:100:
>>> +::0:
>>> request done: ld 0x618d10 msgid 1
>>> Domain Admins:*:512:root,user_admin
>>> Domain Users:*:513:
>>> Domain Guests:*:514:
>>> Domain Computers:*:515:
>>> Administrators:*:544:
>>> Account Operators:*:548:
>>> Print Operators:*:550:
>>> Backup Operators:*:551:
>>> Replicators:*:552:
>>> request done: ld 0x618d10 msgid 2
>> It looks like you already have an existing unix group called "Domain
>> Admins" being pulled in from ldap.  When that is true, there is no need
>> for groupmap and indeed it would appear it is illegal to map a windows
>> group that matches an existing unix group to another unix group.
>>
>> Doug
>>
>>
>

More information about the samba mailing list