Ok, the logic goes like this...
If you want to use root for Domain administration purposes it has to be in the Domain user database.
If it's a Domain user its primary group should be a Domain group.
All Domain groups in Samba are mappings from UNIX groups into SIDs.
If mapping for a particular gid is not present it will be created automatically using arithmetic approach.
Therefore, if you want your root user to keep its primary gid but to be associated with a Domain group 'Domain Admins' the best approach will be to map this Domain group into UNIX group 'root' instead of creating additional UNIX group 'Domain Admins'.
Another approach will be to use some other user to administer your Domain and put it into 'admin users' list in smb.conf then you will be free to choose any primary group for it you like just keep the consistency between gidNumber and sambaPrimaryGroupSID. All users in the 'admin users' list are forced into been root when they access Samba so you will have the same control you would have with root.
I don't know why this is not documented... I don't read documentation that often.. I do know though that Samba team welcomes all suggestions to make documentation better. If you know which part of the documentation got you confused - let them know how to make it more clear.
Hope it helps, Igor
Misty Stanley-Jones wrote:
This doesn't make sense. My root user needs to be gid=0 for all of my UNIX systems that I have auth'ing against the DB. Will it resolve this if I make the primaryGroupSID of root to be the one of Domain Admins? This isn't documented anywhere that I can tell. Thank you for your help, by the way.
On Saturday 16 October 2004 06:16 pm, you wrote:
The trick is in you picking SID by yourself. :o)
sambaPrimaryGroupSID: should always be either explicit mapping of gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber * 2) + 'rid base' + 1. Your problem is that you have inconsistency in you root's setup. As a result its primary group 0 gets mapped into RID 1001 which corresponds to engr.
You can do one of the following: 1. change gidNumber of the cn=root to that of the 'Domain Admins' or 2. change the name of gid=0 to be 'Domain Admins' or 3. change mapping 'Domain Admins -> root'
I would also recommend to use arithmetic gidNumber -> SID mapping unless you are mapping predefined Windows RIDs.
Hope it helps, Igor
Misty Stanley-Jones wrote:
I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my logon.bat, I call a script called ifmember.exe. This script can list out the groups a user is a member of. It is reporting that my root user is a member of the group 'engr.' I don't know if this is a bug with ifmember.exe or if it's an issue in Samba or in LDAP. Here is some relevant data:
oink:/etc/smbldap-tools # smbldap-groupshow engr dn: cn=engr,ou=groups,dc=borkholder,dc=com cn: engr gidNumber: 1001 memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb objectClass: top,posixGroup,sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
oink:/usr/local/sbin # ./smbldap-usershow root dn: cn=root,ou=people,dc=borkholder,dc=com objectClass: account,posixAccount,top,sambaSamAccount cn: root uid: root uidNumber: 0 gidNumber: 0 loginShell: /bin/bash homeDirectory: /root displayName: root sambaPwdCanChange: 1095966471 sambaPwdMustChange: 2147483647 sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678 sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000 sambaPwdLastSet: 1095966471 sambaAcctFlags: [U ] userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2 sambaSID: S-1-5-21-725326080-1709766072-2910717368-500 sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
oink:/usr/local/sbin # net groupmap list acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) -> acct_admin truss (S-1-5-21-725326080-1709766072-2910717368-1005) -> truss hr (S-1-5-21-725326080-1709766072-2910717368-1004) -> hr furniture (S-1-5-21-725326080-1709766072-2910717368-1003) -> furniture dutch (S-1-5-21-725326080-1709766072-2910717368-1002) -> dutch Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) -> Domain Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -> Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) -> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -> Workgroup Computers Administrators (S-1-5-32-544) -> Administrators acct (S-1-5-21-725326080-1709766072-2910717368-1007) -> acct receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -> receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) -> engr
Is there anywhere else I can look to see why this command thinks I'm a member of the engr group? I'm using nss_ldap on the server for authentication as well.
Misty
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
