[Samba] unable to map windows to unix groups

Mon Aug 11 10:45:51 GMT 2008

Thank you very much indeed.

This thread should be closed

JC DOLE

Selon Douglas VanLeuven <roamdad at sonic.net>:
>
> When you do getent group you're getting what's in the local /etc/group
> and what's defined in the ldap group membership.  See gidNumber above.
> Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd
> and /etc/group membership so passwd and group uid/gid's can be defined
> system wide and used by any unix machine.
>
> So yes.  Users belonging to group 512 are "Domain Admins".  You need to
> add users to this group when you want them to have related security
> privileges.  You should be able to chgrp 512 filename and have it show
> as "Domain Admins" when you ls the directory.  I haven't used the
> smbldap tools package, but it looks like the most common windows groups
> have already been defined for you.  All you need to do is avoid using
> the ldap passwd & group uid/gids in the local files.  Yast tools will
> probably not allow you to generate duplicates.
>
> And yes, you only need to map groups when the unix name doesn't match
> the windows name and you don't want samba to create the account on the
> fly using whatever idmap backend you pick.  Your idmap backend should
> probably be idmap_ldap and accounts generated then become available
> system wide using the same uid/gid's and network file sharing offers the
> same membership security regardless of client machine access.
>
> This is probably in a FAQ somewhere where the answer would be more
> structured.  I use the following to resolve my issues:
> http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
> http://us6.samba.org/samba/docs/man/Samba-Guide/
>
> Since samba is evolving almost daily, sometime the Howto syntax has been
> modified in the current manifestation of the command.  Always refer to
> the current command documentation to resolve any discrepancies.
>
> Doug
>

> jcdole at free.fr wrote:
> > As I said, I did a fresh install of opensuse 10.3, samba, ldap.
> >
> > During the process, I filled the ldap database directly with an ldif file
> built
> > using smbldap tools.
> >
> > (one item in that file -->
> >
> > dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > gidNumber: 512
> > cn: Domain Admins
> > memberUid: root
> > sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
> > sambaGroupType: 2
> > displayName: Domain Admins
> > description: Netbios Domain Administrators
> > #sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
> > #description: Netbios Domain Administrators
> >  )
> >
> > So you mean by doing this it is not necessary to map the native existing
> unix
> > group "ntadmin" (gid 71) with "Domain Admins" ?
> > (ntadmin appear in /etc/group and "Domain Admins" not)
> >
> > Reading the samba documentation was not very clear for me.
> >
> > jcdole
> >
> >
> > Selon Douglas VanLeuven <roamdad at sonic.net>:
> >> It looks like you already have an existing unix group called "Domain
> >> Admins" being pulled in from ldap.  When that is true, there is no need
> >> for groupmap and indeed it would appear it is illegal to map a windows
> >> group that matches an existing unix group to another unix group.
> >>
> >> Doug
> >>
> >>
> >> jcdole at free.fr wrote:
> >>> Hello.
> >>>
> >>> After fresh install.
> >>>
> >>> Samba and ldap seems to run normally ( I can join win2k workstation to
> >> linux
> >>> samba pdc ).
> >>>
> >>> Using yast I create a system group named domadmin
> >>>
> >>> But I am unable to map "Domain Admins" to domadmin
> >>> I am unable to map "Domain Admins" to existing ntadmin group
> >>>
> >>> I am unable to mofify mapping "Domain Admins" to domadmin group
> >>>
> >>> Thank you for helping.
> >>>
> >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
> >>> rid=512 type=d
> >>> adding entry for group Domain Admins failed!
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
> >> rid=512
> >>> type=d
> >>> adding entry for group Domain Admins failed!
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins"
> unixgroup=domadmin
> >>> Can't map to an unknown group type.
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
> >> unixgroup=domadmin
> >>> type=d
> >>> Could not update group database
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV:~ net groupmap list
> >>> request done: ld 0x555555c881e0 msgid 1
> >>> request done: ld 0x555555c881e0 msgid 2
> >>> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
> >> Admins
> >>> request done: ld 0x555555c881e0 msgid 3
> >>> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
> >> Users
> >>> request done: ld 0x555555c881e0 msgid 4
> >>> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
> >> Guests
> >>> request done: ld 0x555555c881e0 msgid 5
> >>> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) ->
> Domain
> >>> Computers
> >>> request done: ld 0x555555c881e0 msgid 6
> >>> Administrators (S-1-5-32-544) -> Administrators
> >>> request done: ld 0x555555c881e0 msgid 7
> >>> Account Operators (S-1-5-32-548) -> Account Operators
> >>> request done: ld 0x555555c881e0 msgid 8
> >>> Print Operators (S-1-5-32-550) -> Print Operators
> >>> request done: ld 0x555555c881e0 msgid 9
> >>> Backup Operators (S-1-5-32-551) -> Backup Operators
> >>> request done: ld 0x555555c881e0 msgid 10
> >>> Replicators (S-1-5-32-552) -> Replicators
> >>> request done: ld 0x555555c881e0 msgid 11
> >>> Users (S-1-5-32-545) -> 15000
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV: # getent group
> >>> at:!:25:
> >>> ..............
> >>> ..............
> >>> domadmin:x:114:
> >>> root:x:0:
> >>> ...............
> >>> ..............
> >>> users:x:100:
> >>> +::0:
> >>> request done: ld 0x618d10 msgid 1
> >>> Domain Admins:*:512:root,user_admin
> >>> Domain Users:*:513:
> >>> Domain Guests:*:514:
> >>> Domain Computers:*:515:
> >>> Administrators:*:544:
> >>> Account Operators:*:548:
> >>> Print Operators:*:550:
> >>> Backup Operators:*:551:
> >>> Replicators:*:552:
> >>> request done: ld 0x618d10 msgid 2
> >> It looks like you already have an existing unix group called "Domain
> >> Admins" being pulled in from ldap.  When that is true, there is no need
> >> for groupmap and indeed it would appear it is illegal to map a windows
> >> group that matches an existing unix group to another unix group.
> >>
> >> Doug
> >>
> >>
> >
>
>