samba - Sep 2005 - Samba domain member and wheel group

Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
as a domain member to an existing Windows domain with a Windows PDC.
The box running Samba has no local unix users and groups except for root
and the other builtin accounts.  All user authentication is done through
pam_winbind and user information is handled by winbind.  What I would
like to do is have users that are members of the Windows domian's Unix
Admin global group gain membership to the local unix wheel group when
they login via ssh to the Linux box.  Preferably without needing to
touch the /etc/groups file at all.

I've read chapters 11 and 12 of the Samba How-To and I tried the
following on the domain member running Samba based on the How-To:

net groupmap add ntgroup="Unix Admin" unixgroup=wheel

But when I ssh'ed in as my user who is a member of the Unix Admin group
and run `groups` I do not see myself as a member of the wheel group.  I
also can't alter files with wheel write permissions.  

After looking at the output of `net getdomainsid` and `net groupmap
list` (by this time I had already deleted the Unix Admin -> wheel
groupmap) I realized that the SIDs I see in the groupmap list correspond
to the SID of the local machine and not the domain.  I also see that
Unix Admin is not even listed as a group when I check the groups on the
machine.


[root@pinkfloyd ~]# net getdomainsid
SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200


[root@pinkfloyd ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1

My question is how should I be going about mapping my domain group
members so they gain membership to a local Unix group while they're
logged in?  I've read the chapters in the How-To but I'm definitely
missing something.  I realize now that I can't simply groupmap "Unix
Admin" to wheel so there must be some intermediate steps in between.
Can someone point me in the right direction?  Thanks.

Tom


smb.conf:

# Global parameters
[global]
        workgroup = MEDITECH
        server string = Samba Server
        security = DOMAIN
        password server = meditech3
        log file = /var/log/samba/%m.log
        max log size = 50
        name resolve order = lmhosts wins bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = lb:172.30.48.2, canton:172.30.16.2
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[public]
        comment = Public Stuff
        path = /var/samba/public
        write list = "@Domain Server Admin"
        guest ok = Yes


-- 
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD

Okay, got the answer so I'm just replying so this ends up in the
archives for posterity so someone else may might not rack their brains.
The following is for mapping a domain group to a local Unix group on a
machine running samba in a domain member role.

DOMAIN = MEDITECH
MACHINE = PINKFLOYD
domain wide admin group = Domain Server Admin
Unix user group = wheel

1) Add nested group support in smb.conf and restart:
winbind nested groups = yes


2) Create a local SMB group on the machine.
net rpc group add "Unix Admins" -L -U PINKFLOYD+root 
					^^^^^
- Took me a while to realize since root isn't in the domain, I needed to
specify the local machine name.


3) Add the domain wide admin group to the new local group:
net rpc addmem "Unix Admins" "MEDITECH\Domain Server Admin"
-U PINKFLOYD
+root


4) Map the new local SMB group to the Unix admin group:
net groupmap modify ntgroup="Unix Admins" unixgroup=wheel

I hope this helps someone else.  It was the creation of the local SMB
group that tripped me up the entire time.

Thanks,
tom


On Tue, 2005-09-06 at 21:06 -0400, Tom McLaughlin wrote:
> Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
> as a domain member to an existing Windows domain with a Windows PDC.
> The box running Samba has no local unix users and groups except for root
> and the other builtin accounts.  All user authentication is done through
> pam_winbind and user information is handled by winbind.  What I would
> like to do is have users that are members of the Windows domian's Unix
> Admin global group gain membership to the local unix wheel group when
> they login via ssh to the Linux box.  Preferably without needing to
> touch the /etc/groups file at all.
> 
> I've read chapters 11 and 12 of the Samba How-To and I tried the
> following on the domain member running Samba based on the How-To:
> 
> net groupmap add ntgroup="Unix Admin" unixgroup=wheel
> 
> But when I ssh'ed in as my user who is a member of the Unix Admin group
> and run `groups` I do not see myself as a member of the wheel group.  I
> also can't alter files with wheel write permissions.  
> 
> After looking at the output of `net getdomainsid` and `net groupmap
> list` (by this time I had already deleted the Unix Admin -> wheel
> groupmap) I realized that the SIDs I see in the groupmap list correspond
> to the SID of the local machine and not the domain.  I also see that
> Unix Admin is not even listed as a group when I check the groups on the
> machine.
> 
> 
> [root@pinkfloyd ~]# net getdomainsid
> SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
> SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200
> 
> 
> [root@pinkfloyd ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
> Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
> Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> 
> My question is how should I be going about mapping my domain group
> members so they gain membership to a local Unix group while they're
> logged in?  I've read the chapters in the How-To but I'm definitely
> missing something.  I realize now that I can't simply groupmap
"Unix
> Admin" to wheel so there must be some intermediate steps in between.
> Can someone point me in the right direction?  Thanks.
> 
> Tom
> 
> 
> smb.conf:
> 
> # Global parameters
> [global]
>         workgroup = MEDITECH
>         server string = Samba Server
>         security = DOMAIN
>         password server = meditech3
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         name resolve order = lmhosts wins bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = /etc/printcap
>         os level = 0
>         preferred master = No
>         local master = No
>         domain master = No
>         dns proxy = No
>         wins server = lb:172.30.48.2, canton:172.30.16.2
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind separator = +
>         winbind use default domain = Yes
>         cups options = raw
> 
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
> 
> [public]
>         comment = Public Stuff
>         path = /var/samba/public
>         write list = "@Domain Server Admin"
>         guest ok = Yes
> 
> 
> -- 
> BSD# Project - Mono on FreeBSD
> http://www.mono-project.com/Mono:FreeBSD
> 
-- 
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD