[Samba] User Manager for Domains -- Groups not showing

Christian Huldt christian at solvare.se
Thu Feb 5 15:46:48 GMT 2009

OK, found this thread (I googled, I (thought I) checked the list prior
to posting, well, well...)

Ray Klassen skrev:
> looking at the slapd logging after  a  'net rpc list groups'  it
> locates 57 groups and then queries the sambaSIDList attribute on each
> one. (which I said earlier I wasn't set) After which it records
> 'bdb_search: no candidates' and thats that...
I get the feeling that there are several ways that samba tries to find
group members, but using SIDs in sambaSIDList attributes of the group is
not anything I have found in any docs (nor have I yet dived into the
source to find out...)

(If samba actually tries in several ways there might be a chance to use
the first method to improve performance? Not that that is on my current
list of things to do...)

Jeremy Allison skrev:
> There was a bug in earlier versions of the smbldap-tools
> that creates groups with the wrong sid-type. I'd suggest
> upgrading to 3.0.34 (latest 3.0.x release) and then ensuring
> the group-type is changed in your LDAP db (I think it should be
> type 5, rather than type 4 but this could be the other way
> around :-).

Just trying to get my head around this:
group-type 2: domain groups
group-type 4: local groups
group-type 5: builtin groups

Now, I checked well-known SIDs at http://support.microsoft.com/kb/243330
but I really have no clue as to which are domain groups and not, guess
I'll have check the latest smbldap-tools

The funny thing is that net group list mostly works, but
# net rpc -Uadmin -Sserver2 group MEMBERS "Domain Admins"


# net rpc -Uadmin -Sserver2 group ADDMEM "Domain Admins" admin
Could not add admin to Domain Admins: NT_STATUS_MEMBER_IN_GROUP

so the user admin is and is not a member of "Domain Admins"

Clues are welcome, I will investigate which groups should be which type
in the meantime...

Christian Huldt

More information about the samba mailing list