[Samba] samba 3.4.3 DC breaks Windows groups

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Nov 23 14:40:30 MST 2009

I have the following setup:

     PDC:  Samba 3.0.37 on Solaris 10
     BDC1: Samba 3.0.37 on Solaris 10
     BDC2: Samba 3.4.3 on Solaris 10

Samba 3.0.37 is the bundled version of Samba.
Samba 3.4.3 is compiled from source.

BDC2 is a recent addition to the network.
All machine use LDAP as the backend for everything.  They use winbind to
handle a domain trust with another domain, but otherwise isn't needed.

On BDC2,  users do not appear to be in any groups  beyond Domain Users.

Group mapping seems OK on each DC.

BDC2# net groupmap list
Domain Admins (S-1-5-21-xxxxx-xxxxx-512) -> smb_domadmins
Domain Users (S-1-5-21-xxxxx-xxxxx-513) -> smb_domusers
Domain Guests (S-1-5-21-xxxxx-xxxxx9-514) -> smb_domguests
Domain Computers (S-1-5-21-xxxxx-xxxxx-515) -> smb_machines
Domain Controllers (S-1-5-21-xxxxx-xxxxx-516) -> smb_dc
Domain Certificate Admins (S-1-5-21-xxxxx-xxxxx-517) -> smb_domcertadmins
Builtin Admins (S-1-5-21-xxxxx-xxxxx-544) -> smb_admins
Builtin users (S-1-5-21-xxxxx-xxxxx-545) -> smb_users
Builtin Guests (S-1-5-21-xxxxx-xxxxx-546) -> smb_guests
Administrators (S-xxxx-544) -> xxxx
Users (S-xxxx-545) -> xxxx

The last two in the listing above were automatically created by 
winbind/idmap for a trusted domain.

Unix level group memberships are OK

BDC2# groups Administrator
smb_domadmins smb_domusers

Windows/Samba level group memberships are not

BDC2# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users

BDC2# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users

Same deal with regular users

Nt.  Not all unix groups are mapped to Windows groups.  However I 
believe all required "well known" windows groups are.

Ldap structure includes
     ou=smb_groups (where samba stores group mappings, ldap 

You can verify machine PDC or BDC is being used by an Windows client 
with the "echo %LOGONSERVER%" command.

If I logon as Domain Administrator to an  XP or Win 2003 machine that is 
using BDC2, I will not have any Administrator privileges.

smb.conf includes
     ldap group suffix = ou=smb_groups

(When I converted from tdb to ldap backend,  I already had unix groups 
in ldap and wasn't sure how stuff would import.     I don't think 
existing groups or group mappings imported so I had to manually retype 
the "net group map commands."  )

The "Domain Admins" sambaGroupMapping does include Administrator as a 

BDC2# net rpc group members "Domain Admins" -U Administrator -S PDC

BDC2# net rpc group members "Domain Admins" -U Administrator -S BDC2
Enter Administrator's password:


More information about the samba mailing list