RE: [Samba] Winbind - how to map ADS group to Unix group
After much experimentation I think I can better frame this problem. I
wanted to be able to map an ADS domain group to a local Unix group. I also
wanted to be able to map ADS domain groups/accounts to ROOT. For instance I
wanted all members of the ADS group Domain Admins to map to ROOT. My Linux
box was joined to the ADS domian but is not running smbd. Only winbindd is
running.
After experimenting with suggestions to use:
net groupmap
username map
I have come to the conclussion that these approaches only work for
interaction with smbd and don't help when all that is running is winbindd.
It seems to me these approaches work for controlling resources exposed via
(smbd).
I am running only winbindd because at this point I am not concerned with
sharing resources but more concerned with Single Sign On with ADS groups
mapped to having rights on Linux boxes.
So this is what I have learned. Running winbindd only:
use gpasswd -a DOM\Account unixgroup will add a ADS domain account to a
local *nix group
setting winbind trusted domains only = yes and then creating each domain
account locally I can make a domain admin account = ROOT, but of course this
means I have to create each account locally which is no fun (I think this is
what Choudary Mumtaz was proposing).
THE QUESTION: I think at this point I may be trying to make winbindd work
in a way it wasn't really designed to. As a next step I was thinking of
trying to edit the winbind DB and manually set the GID of Domain Admins to 0
or group Domain Users to 503. As far as I can tell there is not a command
line interface to change the mappings within the winbindd DB. Does this
make sense?
Thanks,
Noal
-Original Message-
From: Choudary Mumtaz [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 03, 2005 6:30 PM
To: Miles, Noal; 'Gerald (Jerry) Carter'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind - how to map ADS group to Unix group
It might be a very silly way to do it, but this is how I accomplished it as
I never got any help from the group during my setup. Most of the tools
provided by Samba didn't work for me, and I haven't been able to figure out
the problem.
I have added all the respective SAMBA groups to local /etc/group, so here
you may make test2 member of Domain Users group, and it will work. If you
would like a take a quick look at my setup, please feel free to visit
http://www.miracletechs.com/sambainstall.html
http://www.miracletechs.com/sambainstall.html .
Thank you.
Miles, Noal [EMAIL PROTECTED] wrote:
Winbind is configured for ads.
I want Domain\Domain Users to be members of local linux group test2.
I created a local group on the linux box:
Groupadd -u 502 test2
I have tried net groupmap addmem, it tells me the syntax is
Net groupmap addmem alias-sid member-sid
There is no SID for test2 so how can I use net groupmap addmem?
Wbinfo -G 502
Cannot convert gid 502 to sid
Net groupmap add ntgroup=Domain\Domain Users unixgroup=test2
Successfully added group Domain\Domain Users to the mapping db
Getent group test2
Test2:x:502:
So this doesn't work either.
I have also tried username map in smb.conf with no success.
I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal
-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Miles, Noal wrote:
| OK I set winbind nested group = yes
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=
=/mab
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
Winbind is configured for ads.
I want Domain\Domain Users to be members of local linux group test2.
I created a local group on the linux box:
Groupadd -u 502 test2
I have tried net groupmap addmem, it tells me the syntax is
Net groupmap addmem alias-sid member-sid
There is no SID for test2 so how can I use net groupmap addmem?
Wbinfo -G 502
Cannot convert gid 502 to sid
Net groupmap add ntgroup=Domain\Domain Users unixgroup=test2
Successfully added group Domain\Domain Users to the mapping db
Getent group test2
Test2:x:502:
So this doesn't work either.
I have also tried username map in smb.conf with no success.
I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal
-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Miles, Noal wrote:
| OK I set winbind nested group = yes
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=
=/mab
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
It might be a very silly way to do it, but this is how I accomplished it as I
never got any help from the group during my setup. Most of the tools provided
by Samba didn't work for me, and I haven't been able to figure out the problem.
I have added all the respective SAMBA groups to local /etc/group, so here you
may make test2 member of Domain Users group, and it will work. If you would
like a take a quick look at my setup, please feel free to visit
http://www.miracletechs.com/sambainstall.html.
Thank you.
Miles, Noal [EMAIL PROTECTED] wrote:
Winbind is configured for ads.
I want Domain\Domain Users to be members of local linux group test2.
I created a local group on the linux box:
Groupadd -u 502 test2
I have tried net groupmap addmem, it tells me the syntax is
Net groupmap addmem alias-sid member-sid
There is no SID for test2 so how can I use net groupmap addmem?
Wbinfo -G 502
Cannot convert gid 502 to sid
Net groupmap add ntgroup=Domain\Domain Users unixgroup=test2
Successfully added group Domain\Domain Users to the mapping db
Getent group test2
Test2:x:502:
So this doesn't work either.
I have also tried username map in smb.conf with no success.
I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal
-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Miles, Noal wrote:
| OK I set winbind nested group = yes
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=
=/mab
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind - how to map ADS group to Unix group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Miles, Noal wrote:
| OK I set winbind nested group = yes
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=
=/mab
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind - how to map ADS group to Unix group
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miles, Noal wrote: | I am running 3.0.10-1.4E on RHEL4. The machine is | a ADS member server. I would like to statically | map the ADS group Domain Admins to the built in | wheel group so all members of Domain Admins | are in the wheel group. Look at the 'winbind nested group' options in smb.conf. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4C6IR7qMdg1EfYRAsduAJwNIagA8CUtJysSgb/AS5cDS3eqJQCg3WV/ ugLJWhgpTukzAzuAKNIfja4= =CZvc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
OK I set winbind nested group = yes option in smb.conf. Still can't quite get it to work. The only doc I can find says net rpc group add wheel -L (why would I add this group, it is built in *nix group?) net rpc group addmem wheel DOM\Domain Admins I don't even have smbd running, only winbind. The wheel group is a built in Unix group. When I issue this command as the root account on the box the winbind log says user 'root' does not exist. When I issue the command as an ADS account the command returns could not connect to server 127.0.0.1 Am I missing something? Thanks, Noal -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:47 PM To: Miles, Noal Cc: 'samba@lists.samba.org' Subject: Re: [Samba] Winbind - how to map ADS group to Unix group -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miles, Noal wrote: | I am running 3.0.10-1.4E on RHEL4. The machine is | a ADS member server. I would like to statically | map the ADS group Domain Admins to the built in | wheel group so all members of Domain Admins | are in the wheel group. Look at the 'winbind nested group' options in smb.conf. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4C6IR7qMdg1EfYRAsduAJwNIagA8CUtJysSgb/AS5cDS3eqJQCg3WV/ ugLJWhgpTukzAzuAKNIfja4= =CZvc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
