WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? John H Terpstra wrote: On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjörg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you configure /etc/nsswitch.conf? What does 'getent group' and 'getent passwd' show? If you have a user who is a member of mulitple secondary groups and you execute: id 'username' What does this report for that user? If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap. On the test systems I used to create the environments I used to create the example files for the new Samba-3 by Example book, I compiled nss_ldap version 212 and found that to work fine with multiple groups. Is this what you tried also? Cheers, John T. Thank you very much Hansjörg Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used @groupname for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line 1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do ls on a directory or id username where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:44 AM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Andy, I would suggest you first make sure that all SIDs are consistent. The 3.0.0 packages you have should work. We can look to updating if you need to. - John T. On Thu, 8 Jan 2004, Andrew Judge wrote: samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:44 AM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: One last part that I noticed - the kicker - eventhough the the netlogon scripts run, if I create a new user, it won't let me log in. It's like the account passwords were cached and now it has taken away the domain admin rights. First, as I wrote in my last email, the Domain SID and that stored in the group_mapping.tdb database MUST be consistent. Second, what version of Samba are you running? If this is 3.0.1 please update to 3.0.2pre1. There is a fix in 3.0.2pre1 for a bug you may have tripped. - John T. Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Judge Sent: Thursday, January 08, 2004 9:14 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Also, my info is now - and it look like the last 3 digits are supposed to be different from the mmain part of the SID, but are not? Should I try to modify the domain '*' SIDs? [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - nobody Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - root Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Power Users (S-1-5-21-3168668608-3928139368-1822977481-2081) - ntadmins Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
On Thu, 2004-01-08 at 08:50, Andrew Judge wrote: samba-client-3.0.0-14.3E samba-3.0.0-14.3E samba-common-3.0.0-14.3E From RH En v.3 CD. Do you think that it wouold be better to upgrade? at this point - I wouldn't Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net groupmap / domain admins problem - Amazon prize
Andrew, You have something rather strange going on here. The following is the result of running these steps on my system: frodo:/etc/samba # net setlocalsid S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # samba start Starting SAMBA nmbd : done cups on Waiting for cupsd to get ready done Starting SAMBA smbd : done Starting SAMBA winbind : done frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 Note: The SIDs are consistent. I have been unable to reproduce the observations you have. Please would you email me your secrets.tdb file (off-line). i'd like to see if there is something weird in it. Other than that, please move your secrets.tdb file to a backup location. Make sure samba is NOT running when you do this. Then delete the group_mapping.tdb file, then restart Samba. Then check the value of the Domain SID from: net getlocalsid net groupmap list I'd like to help track this one down. Cheers, John T. On Thu, 8 Jan 2004, Andrew Judge wrote: Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing that by running: net getlocalsid your will now be able to confirm that the Samba Domain SID is the same as your original Domain SID. If you want this to work, you will have to repeat the steps I gave you though. Domain security will not work unless the SIDS are consistent. Cheers, John T. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM
RE: [Samba] net groupmap / domain admins problem - Amazon prize
AH ha. John is the winner!!! I needed to delete the secrets.tdb file with the group_mapping.tdb John - email me off list and let me know how you want your gift certificate. Thanks for all your help. Andy -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:09 PM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize Andrew, You have something rather strange going on here. The following is the result of running these steps on my system: frodo:/etc/samba # net setlocalsid S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 frodo:/etc/samba # samba start Starting SAMBA nmbd : done cups on Waiting for cupsd to get ready done Starting SAMBA smbd : done Starting SAMBA winbind : done frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-1206063004-3966108128-1487570950-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 frodo:/etc/samba # net getlocalsid SID for domain FRODO is: S-1-5-21-1206063004-3966108128-1487570950 Note: The SIDs are consistent. I have been unable to reproduce the observations you have. Please would you email me your secrets.tdb file (off-line). i'd like to see if there is something weird in it. Other than that, please move your secrets.tdb file to a backup location. Make sure samba is NOT running when you do this. Then delete the group_mapping.tdb file, then restart Samba. Then check the value of the Domain SID from: net getlocalsid net groupmap list I'd like to help track this one down. Cheers, John T. On Thu, 8 Jan 2004, Andrew Judge wrote: Nope - it makes it's own SIDs. To prove - it starts and ends with net getlocalsid. Here is the output since I tried it again: [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 [EMAIL PROTECTED] root]# service smb stop Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] [EMAIL PROTECTED] root]# rm -f /var/cache/samba/group_mapping.tdb [EMAIL PROTECTED] root]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 [EMAIL PROTECTED] root]# net getlocalsid SID for domain FPICSRV is: S-1-5-21-1206063004-3966108128-1487570950 -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 10:34 AM To: Andrew Judge Cc: Samba Subject: RE: [Samba] net groupmap / domain admins problem - Amazon prize On Thu, 8 Jan 2004, Andrew Judge wrote: Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy, In the procedure I gave you rather specific steps. That was for a reason. Maybe I should have explained each stpe a lot more fully. Samba stores its Domain/Machine SID in the secrets.tdb file. When you deleted the group_mapping.tdb file and then restarted Samba, it re-created the group_mapping.tdb file with all the default accounts. When it did this, the default accounts were initialized with the SID that was in the secrets.tdb file. I am guessing that you changed the SID _AFTER_ restarting Samba. I was trying to get your SIDs uniform throughout with mimimum effort on your part. By resetting the Domain SID, you undid what I was trying to get you to rectify. Your Windows clients will be very confused by the inconsistent SIDs. What you did by resetting the SID would be expected to break everything again. I am guessing
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
John, I actually did try this out +groupe name, I don't believe I could get it to work. I tryed many variations. I guess I need to experiment more with how nsswitch.conf and how pam is configured. I'm not real knowledgeable in this area. I found an interesting work around for those of you looking for mapping drives from login scripts based on secondary + groups. /etc/group dusers:x:500: staff:x:680:kent,fred,joe /etc/passwd kent:x:4044:500::/accounts/staff/kent:/bin/bash ksnider:x:4045:500::/accounts/staff/fred:/bin/bash joe:x:4045:500::/accounts/staff/joe:/bin/bash Users primary group is dusers 500 but have secondary group staff 680. In netlogon directory I put directory same name as share for example: netlogon/staff-files In the directory put single file secured by directory permissions example: netlogon/staff-files/readme directory permissions on staff-files directory in netlogon (0750) drwxr-x---2 root staff 4096 Jan 7 07:40 staff-files share is smb.conf: [staff-files] comment = Staff Files path = /accounts/staff/staff-files valid users = @staff write list = @staff In netlogon script reads as follows: if exist \\SERVERNAME\netlogon\staff-files net use S: \\SERVERNAME\staff-files Samba checks local Linux groups and if user is in group he/she is capable of reading file, drive is mapped. Of course I wish all this info was in LDAP so I wouldn't have to mess with local groups but Christmas has gone by and I didn't find this solution in my stocking. I can't take any credit for this idea. I found it in a 1999 posting but it's a temporary fix for something that I believe many of us are seeking. Just have to say this stuff is marvelous. I've been utterly frustrated and amazed at the versatilaty of Samba. Thanks for you support. On Thu, 2004-01-08 at 03:54, John H Terpstra wrote: Hansjoerg, Instead of: valid users = @Groupe Please try: valid users = +Groupe Thanks. - John T. On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup) The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3 on RH9 Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root [Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management) If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers Maybe this helps to solve the problem If you need more information, or further testing give me a note Thank you very much Greetings Hansjrg John H Terpstra wrote: On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: Hi i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend. I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share) The problem is described by [EMAIL PROTECTED] to (see his email attached). Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam? Whether or not this will work depends on how you configure ID resolution. Winbind apparently does not resolve secondary group membership. On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container. How did you
Re: [Samba] net groupmap / domain admins problem - Amazon prize
On Wed, 7 Jan 2004, Andrew Judge wrote: I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps: [EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) - users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) - -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) - -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) - ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) - -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) - -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem. Ok. Roll up your sleeves! I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile. 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Domain Admins unixgroup=root net groupmap modify ntgroup=Domain Guests unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup=Domain Engineers unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup=Domain Power Users unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
