[Samba] Upgrading from 3.0.23 but group_mapping.tdb is empty on current config

TAKAHASHI Motonobu monyo at monyo.com
Tue Jan 25 11:52:38 MST 2011 

2011/1/25  <sgbarrett at eircom.net>:
> I have inherited a CentOS 4 Samba 3.0.23 PDC & file server for 40 hosts that has been through the wars.  It is standalone and stable and uses the smbpasswd file authentication backend, however I need to upgrade for Windows 7 support.
>
> I intend to build a server from scratch to the latest packages in CentOS 5 (3.3.8), set an identical local SID for the domain name, bring across the smbpasswd file and then migrate to a tdbsam passdb when I am confident that there are no issues.
>
> In practically every Samba PDC guide I have read it says that I need to map the Windows domain groups to unix groups.  On the current server, the net groupmap list command does not return any output.  Running 'strings' against /var/lib/samba/group_mapping.tdb shows the following entries:

(snip)

> That suggests to me that the group_mapping.tdb file has entries for three different domains for the groups Domain Admins, Domain Users and Domain Guests, but that none of them is my domain.  Is this correct?  We are not running any other domains here.

Use tdbdump or such correct tools to look at the contents of tdb files.

>  On the current server, the net groupmap list command does not return any output.

As far as I examined, at Samba 3.0.24 or later, these 3 groups are not
pre-defined.
If your "current server" means newer Samba 3.3.8 server, it is OK not
to return any
output.

> I also think that I will need to map Windows groups to unix groups on the new server.  Will this cause any trouble, given that the Windows machines aren't expecting it?  Currently no domain groups are available in Windows.  Access to the shares is managed at the Linux filesystem level with 'valid users' flags in the share options.

Not required, but is recommended.
For example, "domain admins" should be added to local "administrators" on every
joined machine. "domian users" should be the primary group of every
newly created
domain user on Windows's implementation.

Not to create these groups will break these compatibilities.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list