[Samba] Can't add users to well known groups...
Linda Walsh
samba at tlinx.org
Sat Sep 10 13:08:32 MDT 2011
Harry Jede wrote:
> On 15:48:09 wrote Linda Walsh:
>
>> I created the well known group Domain Admins pointing to a local
>> group, but I am not able to add users to the group -- it claims I
>> can only add users to
>> local or global groups...
>>
>> But I only see local, domain ,well-known, builtin.
>>
>> There are no global groups unless one would include all groups that
>> are not local (i.e. domain, well-known, and builtin)....
>>
>> So why doesn't it want to let me add to my domain admins group when
>> it is defined as a well known group (which it is, according to
>> MS)...
>>
> Nobody may be able to answer your questions, if you dont give us some
> background information!
>
> something like:
> which samba version
> which sam, ldapsam or tdbsam
> do you use winbind
> your global section of samba conf
> the commands you have used
> which well knwon groups you have cureently
>
> ---
>
Sorry...
running with latest 3.5.x: 3.5.11 as of this writing.
Using Tdb & winbind.
Since I as having problems with Domain Admins, tried deleting
it and recreating it as a domain group (so it doesn't show, below, as a
'well known group, but a domain group (even though it should be both)).
--------------
> sudo net -l groupmap list
Domain Users
SID : S-1-5-21-33333-77777-33333-513
Unix gid : 513
Unix group: Domain Users
Group type: Well-known Group
Comment : Wellknown Unix group
man
SID : S-1-5-21-33333-77777-33333-1028
Unix gid : 62
Unix group: man
Group type: Domain Group
Comment : Unix Group man
Domain Controllers
SID : S-1-5-21-33333-77777-33333-516
Unix gid : 516
Unix group: Domain Controllers
Group type: Well-known Group
Comment : Wellknown Unix group
Backup Operators
SID : S-1-5-32-551
Unix gid : 551
Unix group: Backup Operators
Group type: Well-known Group
Comment : Wellknown Unix group
Power Users
SID : S-1-5-32-547
Unix gid : 547
Unix group: Power Users
Group type: Well-known Group
Comment : Wellknown Unix group
Cert Publishers
SID : S-1-5-21-33333-77777-33333-517
Unix gid : 517
Unix group: Cert Publishers
Group type: Well-known Group
Comment : Wellknown Unix group
Replicators
SID : S-1-5-32-552
Unix gid : 552
Unix group: Replicators
Group type: Well-known Group
Comment : Wellknown Unix group
Domain Admins
SID : S-1-5-21-33333-77777-33333-544
Unix gid : 512
Unix group: Domain Admins
Group type: Domain Group
Comment : Domain Unix group
Juno
SID : S-1-5-21-33333-77777-33333-1005
Unix gid : 231
Unix group: Juno
Group type: Domain Group
Comment : Juno Printer Group
media
SID : S-1-5-21-33333-77777-33333-1017
Unix gid : 20001
Unix group: media
Group type: Domain Group
Comment : Unix Group media
Administrators
SID : S-1-5-32-544
Unix gid : 544
Unix group: Administrators
Group type: Well-known Group
Comment : Wellknown Unix group
Domain Guests
SID : S-1-5-21-33333-77777-33333-514
Unix gid : 514
Unix group: Domain Guests
Group type: Well-known Group
Comment : Wellknown Unix group
Trusted Local Net Users
SID : S-1-5-21-33333-77777-33333-50002
Unix gid : 50002
Unix group: trusted_local_net_users
Group type: Domain Group
Comment : Trusted Local Net Users
Account Operators
SID : S-1-5-32-548
Unix gid : 548
Unix group: Account Operators
Group type: Well-known Group
Comment : Wellknown Unix group
Schema Admins
SID : S-1-5-21-33333-77777-33333-518
Unix gid : 518
Unix group: Schema Admins
Group type: Well-known Group
Comment : Wellknown Unix group
RAS Servers
SID : S-1-5-32-553
Unix gid : 10123
Unix group: BUILTIN\ras servers
Group type: Local Group
Comment :
scan
SID : S-1-5-21-33333-77777-33333-1006
Unix gid : 232
Unix group: scan
Group type: Local Group
Comment : Local Unix group
Users
SID : S-1-5-32-545
Unix gid : 10000
Unix group: BUILTIN\users
Group type: Local Group
Comment :
Domain Computers
SID : S-1-5-21-33333-77777-33333-515
Unix gid : 515
Unix group: Domain Computers
Group type: Well-known Group
Comment : Wellknown Unix group
Domain Administrator
SID : S-1-5-21-33333-77777-33333-500
Unix gid : 500
Unix group: Domain Administrator
Group type: Well-known Group
Comment : Wellknown Unix group
Print Operators
SID : S-1-5-32-550
Unix gid : 550
Unix group: Print Operators
Group type: Well-known Group
Comment : Wellknown Unix group
Guests
SID : S-1-5-32-546
Unix gid : 546
Unix group: Guests
Group type: Well-known Group
Comment : Wellknown Unix group
Group Policy Creator Owners
SID : S-1-5-21-33333-77777-33333-520
Unix gid : 520
Unix group: Group Policy Creator Owners
Group type: Well-known Group
Comment : Wellknown Unix group
Domain Guest
SID : S-1-5-21-33333-77777-33333-501
Unix gid : 501
Unix group: Domain Guest
Group type: Well-known Group
Comment : Wellknown Unix group
Enterprise Admins
SID : S-1-5-21-33333-77777-33333-519
Unix gid : 519
Unix group: Enterprise Admins
Group type: Well-known Group
Comment : Wellknown Unix group
lawgroup
SID : S-1-5-21-33333-77777-33333-61008
Unix gid : 201
Unix group: lawgroup
Group type: Domain Group
Comment : Domain Unix group
-----
In the "well known SID's, some are supposed to be PER-Domain SIDS
(thus they have the 3-7-3 pattern, while others (like Print Operators) have
fixed numbers (not in domain)...thus the differences in the SID's above).
I referred to http://support.microsoft.com/kb/243330 as a reference in
setting up the above so any mistakes are my own (as usual!))....
As you can see most of the groups above are 'well known groups -- as they
are defined by MS'...
=--
Commands used - various:
Sample:
# net rpc group addmem 'Domain Users' law
Enter root's password:
Can only add members to global or local groups which Domain Users is not
----
But now with Domain Admins as a NT group, I get:
# net rpc group addmem 'Domain Admins' law
Enter root's password:
Could not add law to Domain Admins: NT_STATUS_ACCESS_DENIED
---------------
Global section:
# Samba config file hand created - alphabetized restored from SWAT damage
[global]
add user script = /usr/sbin/useradd -m %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -c Machine -d
/dev/null -s /bin/false %u
aio read size = 16384
aio write size = 16384
allocation roundup size = 4096
bind interfaces only = Yes
block size = 4096
client managed wide links = yes
create mask = 03775
debug class = yes
debug hires timestamp = no
debug prefix timestamp = no
delete user script = /usr/sbin/userdel %u
delete group script = /usr/sbin/groupdel %g
display charset = UTF-8
domain logons = Yes
domain master = Yes
ea support = Yes
enable core files = yes
force create mode = 0660
force directory mode = 0770
guest account = guest
idmap backend = tdb
idmap config * : range = 0 - 100000
idmap config * : base_rid=0
idmap uid=15000-20000
idmap gid=10000-14000
interfaces = eth0,lo
log file = /var/log/samba/log-%D.%m
log level = 1 tdb:1 smb:1 idmap:1 winbind:1
logon path = \\%D\%U\profile
logon drive = i:
logon home = \\%D\%U
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
max xmit = 1048576
min receivefile size = 16384
name resolve order = lmhosts host wins bcast
netbios name = Ishtar
netbios aliases = Bliss
os level = 65
passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb
passwd program = /usr/bin/passwd '%u'
password server = localhost
preferred master = Yes
printing = bsd
print command = lpr -r -P'%p' %s
rpc_server:epmapper = daemon
server string = Bliss on %h running Samba %v
set primary group script = /usr/sbin/usermod -g '%g' '%u'
show add printer wizard = No
smb encrypt = disabled
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4194304
SO_RCVBUF=4194304
#store dos attributes = yes
state directory = /etc/samba/.internals
#strict allocate = yes ;not useful for my domain
time server = Yes
unix extensions = Yes
unix password sync = Yes
use sendfile = Yes
username map = /etc/samba/smbusers
wide links = yes
winbind enum groups = Yes
winbind enum users = Yes
wins support = Yes
workgroup = Bliss
write cache size = 655360
[netlogon]
path = /home/%D/%U
guest ok = Yes
follow symlinks = yes
wide links = yes
write list = +Administrators, root, law
csc policy = disable
[public]
comment = public include files
guest ok = Yes
acl group control = yes
inherit acls = yes
follow symlinks = yes
wide links = yes
path = /home/%D/public
read only = Yes
write list = +Administrators
[homes]
acl group control = yes
store dos attributes = yes
comment = hdir, u=%u, U=%U, S=%S, D=%D, w=%w, H=%H p=%p
create mask = 0751
follow symlinks = yes
inherit acls = yes
map acl inherit = yes
path = /home/%D/%u
read only = no
valid users = %S, %D%w%S, +Domain\ Admins, +Administrators, +wheel
wide links = yes
vfs objects = recycle, readahead, shadow_copy2
readahead:length = 512K
recycle: keeptree = true
shadow:snapdir = /home/snapdir
shadow:basedir = /home
[servhome]
acl group control = yes
map acl inherit = yes
store dos attributes = yes
inherit acls = yes
comment = shomedir u=%u, U=%U, s=%S, d=%D, w=%w
follow symlinks = yes
path = /home/%U
read only = no
create mask = 0751
vfs objects = recycle, readahead
vfs objects = recycle, readahead, shadow_copy2
wide links = yes
recycle: keeptree = true
shadow:snapdir = /home/snapdir
shadow:basedir = /home
[scans]
comment = Juno scans
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
follow symlinks = yes
wide links = yes
path = /home/scan
valid users = +trusted_local_net_users
write list = law, Juno
recycle: keeptree = true
[home]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = Home-star (allhomes)
follow symlinks = yes
read only = no
wide links = yes
path = /home
valid users = +trusted_local_net_users,%U,%S, %D%w%S
write list = %U, +Administrators, +Domain\ Admins
vfs objects = recycle, readahead, shadow_copy2
recycle: keeptree = true
shadow:snapdir = /home/snapdir
shadow:basedir = /home
[Pictures]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = Domain User's Home Pictures
follow symlinks = yes
wide links = yes
path = /home/%D/Documents/%U/Pictures
read only = no
valid users = %D\%U, +Administrators
write list = %U, +Administrators, +Domain\ Admins
vfs objects = recycle, readahead, shadow_copy2
recycle: keeptree = true
shadow:snapdir = /home/snapdir
shadow:basedir = /home
[Documents]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = Domain User's Home Documents
follow symlinks = yes
wide links = yes
path = /home/%D/Documents/%U
read only = no
write list = %U, +Administrators, +Domain\ Admins
valid users = %D\%U, Administrators
vfs objects = recycle, readahead, shadow_copy2
recycle: keeptree = true
shadow:snapdir = /home/snapdir
shadow:basedir = /home
[Windows]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = C:\Windows (Athenae in /home/C:Windows)
path = /home/C:Windows
follow symlinks = yes
wide links = yes
read list = law, +wheel, root, +Administrators, +Domain\ Admins
read only = Yes
create mask = 0755
vfs objects = readahead
[backup]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
follow symlinks = yes
wide links = yes
comment = Host backup-dirs (M=%M, m=%m P=%P S=%S I=%I, u=%u, U=%U)
path = /backups/%m
write list = +Administrators, law, +Power\ Users, root, +Domain\
Admins, +Backup\ Operators
vfs objects = readahead
[backups_by_user]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = User backup dirs
follow symlinks = yes
wide links = yes
path = /backups/%u
write list = +Administrators, law, +Power\ Users, root, +Domain\
Admins, +Administrators, +Backup\ Operators
[backups_athenae]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
follow symlinks = yes
wide links = yes
comment = Athenae Recovery
path = /backups/athenae
guest ok = yes
write list = +Administrators, law, root, +Backup\ Operators
[usr_share]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = /usr/share
follow symlinks = yes
wide links = yes
path = /usr/share
write list = law
vfs objects = readahead
recycle: keeptree = true
[usr_share_doc]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = /usr/share/doc
follow symlinks = yes
wide links = yes
path = /usr/share/doc
write list = law
vfs objects = readahead
recycle: keeptree = true
[suse11.3]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = suse11.3 repository
follow symlinks = yes
wide links = yes
path = /suse11.3
read only = yes
vfs objects = readahead
guest ok = yes
[Audio]
acl group control = yes
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
comment = Audio Data
follow symlinks = yes
wide links = yes
path = /Share/Audio
read only = no
vfs objects = readahead
write list = law
guest ok = Yes
vfs objects = recycle, readahead
recycle: keeptree = true
[Music]
acl group control = yes
store dos attributes = yes
guest ok = Yes
map acl inherit = yes
inherit acls = yes
read only = no
follow symlinks = yes
wide links = yes
comment = Shared Music
path = /Share/Music
read list = +Users
read only = no
write list = law, +trusted_local_net_users, +wheel, +Domain\ Admins
vfs objects = recycle, notify_fam, readahead
recycle: keeptree = true
[Share]
acl group control = yes
store dos attributes = yes
guest ok = Yes
map acl inherit = yes
inherit acls = yes
follow symlinks = yes
wide links = yes
comment = Share
path = /Share
read only = no
read list = +Users, +trusted_local_net_users, +Domain\ Admins,
+Administrators
write list = law, +Administrators
vfs objects = recycle, readahead
recycle: keeptree = true
More information about the samba
mailing list