Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again:
[EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -----Original Message----- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: > Okay, I did all the below successfully. I actually had the old SID from the > other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the > NTUSER.DAT files > > Still no luck with the admin rights. It will log into the domain and can > see the domain groups and I can add them to local groups. It even uses the > netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. > > Andy > -----Original Message----- > From: John H Terpstra [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 11:42 PM > To: Andrew Judge > Cc: [EMAIL PROTECTED] > Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize > > 1. Stop Samba > 2. Delete the group_mapping.tdb file. > 3. Restart Samba > - the default Domain Groups will automatically be created if you > are NOT using LDAP ldapsam. > 4. Map your groups as follows: > > net groupmap modify ntgroup="Domain Users" unixgroup=users > net groupmap modify ntgroup="Domain Admins" unixgroup=root > net groupmap modify ntgroup="Domain Guests" unixgroup=nobody > > Add any Domain Groups you may want. Do tie them to existing (manually > created UNIX groups) eg: > > groupadd engineers > net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d > > groupadd ntadmins > net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d > > > PS: If you have a problem with these commands email me, I'll help you. > > > 5. Add all users who should have Domain Admin rights to the UNIX root > group in /etc/group, like this: > > root:0::jht,jimbo,jack,jill > > > 6. Add all users who should have Workstation Admin rights (Power Users) to > the UNIX ntadmins group in /etc/group, like this: > > ntadmins:123::maryo,susant,billm > > > 7. Verify that the groups are correctly mapped: > > net groupmap list. > > > 8. Now: On every windows client machine add: > > a) Domain Admins to the Local Administrators Group > b) Domain Power Users to the Local Power Users Group > > > > > > Now... I migrated from 2.2.3a to the above and I have all the tdb and I > > cahnged the SID to the last PDC. Anyway, how would I get the right SID? > I > > have NTUSER.DAT files that I can run profiles against to read them. Would > > that help? > > You can use the Samba-3.0.x tools 'profiles' to reset the SID in the > NTUSER.DAT files. > > To obtain the domain SID just run: > > net getlocalsid > > > > > > First one that can point me in the right direction to get this resolved - > > I'll buy them a amazon gift cert for $50. Beats going bald from pulling > out > > my hair. > > It's a deal man! > > > - John T. > -- > John H Terpstra > Email: [EMAIL PROTECTED] > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
