AH ha. John is the winner!!! I needed to delete the secrets.tdb file with the group_mapping.tdb
John - email me off list and let me know how you want your gift certificate. Thanks for all your help. Andy -----Original Message----- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:09 PM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Andrew, You have something rather strange going on here. The following is the result of running these steps on my system: frodo:/etc/samba # net setlocalsid S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # samba start Starting SAMBA nmbd : done cups on Waiting for cupsd to get ready done Starting SAMBA smbd : done Starting SAMBA winbind : done frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) -> -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 Note: The SIDs are consistent. I have been unable to reproduce the observations you have. Please would you email me your secrets.tdb file (off-line). i'd like to see if there is something weird in it. Other than that, please move your secrets.tdb file to a backup location. Make sure samba is NOT running when you do this. Then delete the group_mapping.tdb file, then restart Samba. Then check the value of the Domain SID from: net getlocalsid net groupmap list I'd like to help track this one down. Cheers, John T. On Thu, 8 Jan 2004, Andrew Judge wrote: > Nope - it makes it's own SIDs. To prove - it starts and ends with net > getlocalsid. Here is the output since I tried it again: > > [EMAIL PROTECTED] root]# net getlocalsid > SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 > [EMAIL PROTECTED] root]# service smb stop > Shutting down SMB services: [ OK ] > Shutting down NMB services: [ OK ] > [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb > [EMAIL PROTECTED] root]# service smb start > Starting SMB services: [ OK ] > Starting NMB services: [ OK ] > [EMAIL PROTECTED] root]# net groupmap list > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1 > Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1 > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > [EMAIL PROTECTED] root]# net getlocalsid > SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 > > -----Original Message----- > From: John H Terpstra [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 08, 2004 10:34 AM > To: Andrew Judge > Cc: Samba > Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize > > > On Thu, 8 Jan 2004, Andrew Judge wrote: > > > Okay, I did all the below successfully. I actually had the old SID from > the > > other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify > the > > NTUSER.DAT files > > > > Still no luck with the admin rights. It will log into the domain and can > > see the domain groups and I can add them to local groups. It even uses > the > > netlogon scripts. Do you need more info? I think we are close though. > > Andy, > > In the procedure I gave you rather specific steps. That was for a reason. > Maybe I should have explained each stpe a lot more fully. > > Samba stores its Domain/Machine SID in the secrets.tdb file. When you > deleted the group_mapping.tdb file and then restarted Samba, it re-created > the group_mapping.tdb file with all the default accounts. When it did > this, the default accounts were initialized with the SID that was in the > secrets.tdb file. > > I am guessing that you changed the SID _AFTER_ restarting Samba. > > I was trying to get your SIDs uniform throughout with mimimum effort on > your part. By resetting the Domain SID, you undid what I was trying to get > you to rectify. > > Your Windows clients will be very confused by the inconsistent SIDs. What > you did by resetting the SID would be expected to break everything again. > > I am guessing that by running: > net getlocalsid > your will now be able to confirm that the Samba Domain SID is the same as > your original Domain SID. > > If you want this to work, you will have to repeat the steps I gave you > though. Domain security will not work unless the SIDS are consistent. > > Cheers, > John T. > > > > > Andy > > -----Original Message----- > > From: John H Terpstra [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, January 07, 2004 11:42 PM > > To: Andrew Judge > > Cc: [EMAIL PROTECTED] > > Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize > > > > 1. Stop Samba > > 2. Delete the group_mapping.tdb file. > > 3. Restart Samba > > - the default Domain Groups will automatically be created if you > > are NOT using LDAP ldapsam. > > 4. Map your groups as follows: > > > > net groupmap modify ntgroup="Domain Users" unixgroup=users > > net groupmap modify ntgroup="Domain Admins" unixgroup=root > > net groupmap modify ntgroup="Domain Guests" unixgroup=nobody > > > > Add any Domain Groups you may want. Do tie them to existing (manually > > created UNIX groups) eg: > > > > groupadd engineers > > net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d > > > > groupadd ntadmins > > net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d > > > > > > PS: If you have a problem with these commands email me, I'll help you. > > > > > > 5. Add all users who should have Domain Admin rights to the UNIX root > > group in /etc/group, like this: > > > > root:0::jht,jimbo,jack,jill > > > > > > 6. Add all users who should have Workstation Admin rights (Power Users) to > > the UNIX ntadmins group in /etc/group, like this: > > > > ntadmins:123::maryo,susant,billm > > > > > > 7. Verify that the groups are correctly mapped: > > > > net groupmap list. > > > > > > 8. Now: On every windows client machine add: > > > > a) Domain Admins to the Local Administrators Group > > b) Domain Power Users to the Local Power Users Group > > > > > > > > > > Now... I migrated from 2.2.3a to the above and I have all the tdb and I > > > cahnged the SID to the last PDC. Anyway, how would I get the right SID? > > I > > > have NTUSER.DAT files that I can run profiles against to read them. > Would > > > that help? > > > > You can use the Samba-3.0.x tools 'profiles' to reset the SID in the > > NTUSER.DAT files. > > > > To obtain the domain SID just run: > > > > net getlocalsid > > > > > > > > > > First one that can point me in the right direction to get this > resolved - > > > I'll buy them a amazon gift cert for $50. Beats going bald from pulling > > out > > > my hair. > > > > It's a deal man! > > > > > > - John T. > > -- > > John H Terpstra > > Email: [EMAIL PROTECTED] > > > > -- > John H Terpstra > Email: [EMAIL PROTECTED] > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
