Well, this code patch seems to fix the problem with my missing groups...
Seems like because they were declared as well known groups (Domain Admins,
Domain Users...etc.)
They weren't being listed...
Seems a bit odd for a PDC to not list well known groups... no?
It looks like the code was intended to prevent people from using
the BUILTIN groups -- which doesn't seem to make alot of sense
either.
Can someone clarify why we shouldn't be able to add/subtract from
well known or builtin groups?
MS publishes a list of well known groups that most domains would expect
to have,
but when I tried to add them to my domain, they all became unlistable
and unusable.
Color me confused?
-linda
Linda Walsh wrote:
I created the well known group Domain Admins pointing to a local group,
but I am not able to add users to the group -- it claims I can only
add users to
local or global groups...
But I only see local, domain ,well-known, builtin.
There are no global groups unless one would include all groups that are
not local (i.e. domain, well-known, and builtin)....
So why doesn't it want to let me add to my domain admins group when it is
defined as a well known group (which it is, according to MS)...
--- net_sam.c 2011-08-03 11:24:05.000000000 -0700
+++ net_sam.c 2011-09-09 19:27:39.190245264 -0700
@@ -1208,7 +1208,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) || (grouptype ==
SID_NAME_WKN_GRP)) {
+ if ((grouptype == SID_NAME_ALIAS) ) {
if ((membertype != SID_NAME_USER) &&
(membertype != SID_NAME_DOM_GRP)) {
d_fprintf(stderr, _("%s is a local group, only
users "
@@ -1224,7 +1224,7 @@
"with %s\n"), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || grouptype ==
SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(&group, &grouprid);
@@ -1284,8 +1284,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_del_aliasmem(&group, &member);
if (!NT_STATUS_IS_OK(status)) {
@@ -1293,7 +1292,7 @@
"with %s\n"), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(&group, &grouprid);
@@ -1349,8 +1348,7 @@
return -1;
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_enum_aliasmem(&group, talloc_tos(), &members,
&num_members);
if (!NT_STATUS_IS_OK(status)) {
--- net_groupmap.c 2011-08-03 11:24:05.000000000 -0700
+++ net_groupmap.c 2011-09-09 19:30:32.840929705 -0700
@@ -444,12 +444,12 @@
return -1;
}
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("You can only change between domain and local "
"groups.\n"));
return -1;
- }
+ }*/
map.sid_name_use=sid_type;
@@ -630,13 +630,15 @@
/* Now we have a mapping entry, update that stuff */
if ( c->opt_localgroup || c->opt_domaingroup ) {
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*
+ * f (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("Can't change type of the BUILTIN "
"group %s\n"),
map.nt_name);
return -1;
}
+ */
}
if (c->opt_localgroup)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
