[Samba] Fwd: Re: Can't add users to well known groups...

François Legal devel at thom.fr.eu.org
Mon Sep 12 07:52:54 MDT 2011 

  

Forgot to CC the list. 

-------- Original Message --------


		SUBJECT:
 		Re: [Samba] Can't add users to well known
groups...

		DATE:
 		Mon, 12 Sep 2011 15:51:31 +0200

		FROM:

		François Legal 

		TO:
 		Linda Walsh 

Not sure if this is relevant,
but if (first case shown down here) "Domain Admins" is not so much a
group but a map to unix group, I'm not surprised that you can't add
users to this using sambe. I would rather use /etc/group or whatever to
add users to the unix group mapped. 

François 

On Sat, 10 Sep 2011
12:08:32 -0700, Linda Walsh wrote: 

> Harry Jede wrote:
> 
>> On
15:48:09 wrote Linda Walsh: 
>> 
>>> I created the well known group
Domain Admins pointing to a local group, but I am not able to add users
to the group -- it claims I can only add users to local or global
groups... But I only see local, domain ,well-known, builtin. There are
no global groups unless one would include all groups that are not local
(i.e. domain, well-known, and builtin).... So why doesn't it want to let
me add to my domain admins group when it is defined as a well known
group (which it is, according to MS)...
>> Nobody may be able to answer
your questions, if you dont give us some background information!
something like: which samba version which sam, ldapsam or tdbsam do you
use winbind your global section of samba conf the commands you have used
which well knwon groups you have cureently ---
> 
> Sorry...
> running
with latest 3.5.x: 3.5.11 as of this writing.
> Using Tdb & winbind.
>
Since I as having problems with Domain Admins, tried deleting
> it and
recreating it as a domain group (so it doesn't show, below, as a
> 'well
known group, but a domain group (even though it should be both)).
>
--------------
> 
>> sudo net -l groupmap list
> 
> Domain Users
> SID :
S-1-5-21-33333-77777-33333-513
> Unix gid : 513
> Unix group: Domain
Users
> Group type: Well-known Group
> Comment : Wellknown Unix group
>
man
> SID : S-1-5-21-33333-77777-33333-1028
> Unix gid : 62
> Unix
group: man
> Group type: Domain Group
> Comment : Unix Group man
>
Domain Controllers
> SID : S-1-5-21-33333-77777-33333-516
> Unix gid :
516
> Unix group: Domain Controllers
> Group type: Well-known Group
>
Comment : Wellknown Unix group
> Backup Operators
> SID : S-1-5-32-551
>
Unix gid : 551
> Unix group: Backup Operators
> Group type: Well-known
Group
> Comment : Wellknown Unix group
> Power Users
> SID :
S-1-5-32-547
> Unix gid : 547
> Unix group: Power Users
> Group type:
Well-known Group
> Comment : Wellknown Unix group
> Cert Publishers
>
SID : S-1-5-21-33333-77777-33333-517
> Unix gid : 517
> Unix group: Cert
Publishers
> Group type: Well-known Group
> Comment : Wellknown Unix
group
> Replicators
> SID : S-1-5-32-552
> Unix gid : 552
> Unix group:
Replicators
> Group type: Well-known Group
> Comment : Wellknown Unix
group
> Domain Admins
> SID : S-1-5-21-33333-77777-33333-544
> Unix gid
: 512
> Unix group: Domain Admins
> Group type: Domain Group
> Comment :
Domain Unix group
> Juno
> SID : S-1-5-21-33333-77777-33333-1005
> Unix
gid : 231
> Unix group: Juno
> Group type: Domain Group
> Comment : Juno
Printer Group
> media
> SID : S-1-5-21-33333-77777-33333-1017
> Unix gid
: 20001
> Unix group: media
> Group type: Domain Group
> Comment : Unix
Group media
> Administrators
> SID : S-1-5-32-544
> Unix gid : 544
>
Unix group: Administrators
> Group type: Well-known Group
> Comment :
Wellknown Unix group
> Domain Guests
> SID :
S-1-5-21-33333-77777-33333-514
> Unix gid : 514
> Unix group: Domain
Guests
> Group type: Well-known Group
> Comment : Wellknown Unix group
>
Trusted Local Net Users
> SID : S-1-5-21-33333-77777-33333-50002
> Unix
gid : 50002
> Unix group: trusted_local_net_users
> Group type: Domain
Group
> Comment : Trusted Local Net Users
> Account Operators
> SID :
S-1-5-32-548
> Unix gid : 548
> Unix group: Account Operators
> Group
type: Well-known Group
> Comment : Wellknown Unix group
> Schema
Admins
> SID : S-1-5-21-33333-77777-33333-518
> Unix gid : 518
> Unix
group: Schema Admins
> Group type: Well-known Group
> Comment :
Wellknown Unix group
> RAS Servers
> SID : S-1-5-32-553
> Unix gid :
10123
> Unix group: BUILTINras servers
> Group type: Local Group
>
Comment :
> scan
> SID : S-1-5-21-33333-77777-33333-1006
> Unix gid :
232
> Unix group: scan
> Group type: Local Group
> Comment : Local Unix
group
> Users
> SID : S-1-5-32-545
> Unix gid : 10000
> Unix group:
BUILTINusers
> Group type: Local Group
> Comment :
> Domain Computers
>
SID : S-1-5-21-33333-77777-33333-515
> Unix gid : 515
> Unix group:
Domain Computers
> Group type: Well-known Group
> Comment : Wellknown
Unix group
> Domain Administrator
> SID :
S-1-5-21-33333-77777-33333-500
> Unix gid : 500
> Unix group: Domain
Administrator
> Group type: Well-known Group
> Comment : Wellknown Unix
group
> Print Operators
> SID : S-1-5-32-550
> Unix gid : 550
> Unix
group: Print Operators
> Group type: Well-known Group
> Comment :
Wellknown Unix group
> Guests
> SID : S-1-5-32-546
> Unix gid : 546
>
Unix group: Guests
> Group type: Well-known Group
> Comment : Wellknown
Unix group
> Group Policy Creator Owners
> SID :
S-1-5-21-33333-77777-33333-520
> Unix gid : 520
> Unix group: Group
Policy Creator Owners
> Group type: Well-known Group
> Comment :
Wellknown Unix group
> Domain Guest
> SID :
S-1-5-21-33333-77777-33333-501
> Unix gid : 501
> Unix group: Domain
Guest
> Group type: Well-known Group
> Comment : Wellknown Unix group
>
Enterprise Admins
> SID : S-1-5-21-33333-77777-33333-519
> Unix gid :
519
> Unix group: Enterprise Admins
> Group type: Well-known Group
>
Comment : Wellknown Unix group
> lawgroup
> SID :
S-1-5-21-33333-77777-33333-61008
> Unix gid : 201
> Unix group:
lawgroup
> Group type: Domain Group
> Comment : Domain Unix group
>
-----
> In the "well known SID's, some are supposed to be PER-Domain
SIDS
> (thus they have the 3-7-3 pattern, while others (like Print
Operators) have
> fixed numbers (not in domain)...thus the differences
in the SID's above).
> I referred to
http://support.microsoft.com/kb/243330 [1] as a reference in
> setting
up the above so any mistakes are my own (as usual!))....
> 
> As you can
see most of the groups above are 'well known groups -- as they
> are
defined by MS'...
> 
> =--
> Commands used - various:
> Sample:
> # net
rpc group addmem 'Domain Users' law
> Enter root's password:
> Can only
add members to global or local groups which Domain Users is not
> ----
>
But now with Domain Admins as a NT group, I get:
> # net rpc group
addmem 'Domain Admins' law
> Enter root's password:
> Could not add law
to Domain Admins: NT_STATUS_ACCESS_DENIED
> ---------------
> 
> Global
section:
> # Samba config file hand created - alphabetized restored from
SWAT damage
> 
> [global]
> 
> add user script = /usr/sbin/useradd -m
%u
> add group script = /usr/sbin/groupadd %g
> add machine script =
/usr/sbin/useradd -g machines -c Machine -d 
> /dev/null -s /bin/false
%u
> aio read size = 16384
> aio write size = 16384
> allocation roundup
size = 4096
> bind interfaces only = Yes
> block size = 4096
> client
managed wide links = yes
> create mask = 03775
> debug class = yes
>
debug hires timestamp = no
> debug prefix timestamp = no
> delete user
script = /usr/sbin/userdel %u
> delete group script = /usr/sbin/groupdel
%g
> display charset = UTF-8
> domain logons = Yes
> domain master =
Yes
> ea support = Yes
> enable core files = yes
> force create mode =
0660
> force directory mode = 0770
> guest account = guest
> idmap
backend = tdb
> idmap config * : range = 0 - 100000
> idmap config * :
base_rid=0
> idmap uid=15000-20000
> idmap gid=10000-14000
> interfaces
= eth0,lo
> log file = /var/log/samba/log-%D.%m
> log level = 1 tdb:1
smb:1 idmap:1 winbind:1
> logon path = \%D%Uprofile
> logon drive = i:
>
logon home = \%D%U
> lpq command = lpq -P'%p'
> lprm command = lprm
-P'%p' %j
> max xmit = 1048576
> min receivefile size = 16384
> name
resolve order = lmhosts host wins bcast
> netbios name = Ishtar
>
netbios aliases = Bliss
> os level = 65
> passdb backend =
tdbsam:/etc/samba/.internals/passwd.tdb
> passwd program =
/usr/bin/passwd '%u'
> password server = localhost
> preferred master =
Yes
> printing = bsd
> print command = lpr -r -P'%p' %s
>
rpc_server:epmapper = daemon
> server string = Bliss on %h running Samba
%v
> set primary group script = /usr/sbin/usermod -g '%g' '%u'
> show
add printer wizard = No
> smb encrypt = disabled
> socket options =
TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4194304 
> SO_RCVBUF=4194304
>
#store dos attributes = yes
> state directory = /etc/samba/.internals
>
#strict allocate = yes ;not useful for my domain
> time server = Yes
>
unix extensions = Yes
> unix password sync = Yes
> use sendfile = Yes
>
username map = /etc/samba/smbusers
> wide links = yes
> winbind enum
groups = Yes
> winbind enum users = Yes
> wins support = Yes
> workgroup
= Bliss
> write cache size = 655360
> 
> [netlogon]
> path =
/home/%D/%U
> guest ok = Yes
> follow symlinks = yes
> wide links =
yes
> write list = +Administrators, root, law
> csc policy = disable
>

> [public]
> comment = public include files
> guest ok = Yes
> acl
group control = yes
> inherit acls = yes
> follow symlinks = yes
> wide
links = yes
> path = /home/%D/public
> read only = Yes
> write list =
+Administrators
> 
> [homes]
> acl group control = yes
> store dos
attributes = yes
> comment = hdir, u=%u, U=%U, S=%S, D=%D, w=%w, H=%H
p=%p
> create mask = 0751
> follow symlinks = yes
> inherit acls = yes
>
map acl inherit = yes
> path = /home/%D/%u
> read only = no
> valid
users = %S, %D%w%S, +Domain Admins, +Administrators, +wheel
> wide links
= yes
> vfs objects = recycle, readahead, shadow_copy2
>
readahead:length = 512K
> recycle: keeptree = true
> shadow:snapdir =
/home/snapdir
> shadow:basedir = /home
> 
> [servhome]
> acl group
control = yes
> map acl inherit = yes
> store dos attributes = yes
>
inherit acls = yes
> comment = shomedir u=%u, U=%U, s=%S, d=%D, w=%w
>
follow symlinks = yes
> path = /home/%U
> read only = no
> create mask =
0751
> vfs objects = recycle, readahead
> vfs objects = recycle,
readahead, shadow_copy2
> wide links = yes
> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir
> shadow:basedir = /home
> 
> [scans]
>
comment = Juno scans
> acl group control = yes
> store dos attributes =
yes
> map acl inherit = yes
> inherit acls = yes
> follow symlinks =
yes
> wide links = yes
> path = /home/scan
> valid users =
+trusted_local_net_users
> write list = law, Juno
> recycle: keeptree =
true
> 
> [home]
> acl group control = yes
> store dos attributes =
yes
> map acl inherit = yes
> inherit acls = yes
> comment = Home-star
(allhomes)
> follow symlinks = yes
> read only = no
> wide links = yes
>
path = /home
> valid users = +trusted_local_net_users,%U,%S, %D%w%S
>
write list = %U, +Administrators, +Domain Admins
> vfs objects =
recycle, readahead, shadow_copy2
> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir
> shadow:basedir = /home
> 
>
[Pictures]
> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes
> inherit acls = yes
> comment = Domain User's Home
Pictures
> follow symlinks = yes
> wide links = yes
> path =
/home/%D/Documents/%U/Pictures
> read only = no
> valid users = %D%U,
+Administrators
> write list = %U, +Administrators, +Domain Admins
> vfs
objects = recycle, readahead, shadow_copy2
> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir
> shadow:basedir = /home
> 
>
[Documents]
> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes
> inherit acls = yes
> comment = Domain User's Home
Documents
> follow symlinks = yes
> wide links = yes
> path =
/home/%D/Documents/%U
> read only = no
> write list = %U,
+Administrators, +Domain Admins
> valid users = %D%U, Administrators
>
vfs objects = recycle, readahead, shadow_copy2
> recycle: keeptree =
true
> shadow:snapdir = /home/snapdir
> shadow:basedir = /home
> 
>
[Windows]
> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes
> inherit acls = yes
> comment = C:Windows (Athenae in
/home/C:Windows)
> path = /home/C:Windows
> follow symlinks = yes
> wide
links = yes
> read list = law, +wheel, root, +Administrators, +Domain
Admins
> read only = Yes
> create mask = 0755
> vfs objects =
readahead
> 
> [backup]
> acl group control = yes
> store dos attributes
= yes
> map acl inherit = yes
> inherit acls = yes
> follow symlinks =
yes
> wide links = yes
> comment = Host backup-dirs (M=%M, m=%m P=%P
S=%S I=%I, u=%u, U=%U)
> path = /backups/%m
> write list =
+Administrators, law, +Power Users, root, +Domain 
> Admins, +Backup
Operators
> vfs objects = readahead
> 
> [backups_by_user]
> acl group
control = yes
> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes
> comment = User backup dirs
> follow symlinks =
yes
> wide links = yes
> path = /backups/%u
> write list =
+Administrators, law, +Power Users, root, +Domain 
> Admins,
+Administrators, +Backup Operators
> 
> [backups_athenae]
> acl group
control = yes
> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes
> follow symlinks = yes
> wide links = yes
> comment
= Athenae Recovery
> path = /backups/athenae
> guest ok = yes
> write
list = +Administrators, law, root, +Backup Operators
> 
> [usr_share]
>
acl group control = yes
> store dos attributes = yes
> map acl inherit =
yes
> inherit acls = yes
> comment = /usr/share
> follow symlinks =
yes
> wide links = yes
> path = /usr/share
> write list = law
> vfs
objects = readahead
> recycle: keeptree = true
> 
> [usr_share_doc]
>
acl group control = yes
> store dos attributes = yes
> map acl inherit =
yes
> inherit acls = yes
> comment = /usr/share/doc
> follow symlinks =
yes
> wide links = yes
> path = /usr/share/doc
> write list = law
> vfs
objects = readahead
> recycle: keeptree = true
> 
> [suse11.3]
> acl
group control = yes
> store dos attributes = yes
> map acl inherit =
yes
> inherit acls = yes
> comment = suse11.3 repository
> follow
symlinks = yes
> wide links = yes
> path = /suse11.3
> read only = yes
>
vfs objects = readahead
> guest ok = yes
> 
> [Audio]
> acl group
control = yes
> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes
> comment = Audio Data
> follow symlinks = yes
> wide
links = yes
> path = /Share/Audio
> read only = no
> vfs objects =
readahead
> write list = law
> guest ok = Yes
> vfs objects = recycle,
readahead
> recycle: keeptree = true
> 
> [Music]
> acl group control =
yes
> store dos attributes = yes
> guest ok = Yes
> map acl inherit =
yes
> inherit acls = yes
> read only = no
> follow symlinks = yes
> wide
links = yes
> comment = Shared Music
> path = /Share/Music
> read list =
+Users
> read only = no
> write list = law, +trusted_local_net_users,
+wheel, +Domain Admins
> vfs objects = recycle, notify_fam, readahead
>
recycle: keeptree = true
> 
> [Share]
> acl group control = yes
> store
dos attributes = yes
> guest ok = Yes
> map acl inherit = yes
> inherit
acls = yes
> follow symlinks = yes
> wide links = yes
> comment =
Share
> path = /Share
> read only = no
> read list = +Users,
+trusted_local_net_users, +Domain Admins, 
> +Administrators
> write
list = law, +Administrators
> vfs objects = recycle, readahead
>
recycle: keeptree = true

  

Links:
------
[1]
http://support.microsoft.com/kb/243330

More information about the samba mailing list