samba - Feb 2007 - pdbedit: '-G rid' doesn't seem to have any effect

On my Samba PDC, using tdbpass:

'pdbedit -Lv agrotera$' produces:

  Unix username:        agrotera$
  NT username:
  Account Flags:        [W          ]
  User SID:             S-1-5-21-4211105910-4270789338-3787013593-1414
  Primary Group SID:    S-1-5-21-4211105910-4270789338-3787013593-513
  .....

'getent passwd agrotera$' gives:

  agrotera$:x:207:200:SMB Machine:/dev/null:/bin/false

where GID 200 is SMB_Machine, which is groupmapped:

  Domain Computers (S-1-5-21-4211105910-4270789338-3787013593-515) -> \
   SMB_MACHINE

So...

  (a) doesn't seem right that the machine account is in 'Domain
Users'
      in the first place.

  (b) UNIX agrotera$ has primary group that is mapped to 'Domain
      Computers', but the tdbpass file says otherwise.

If I create a new machine account it is put in the 'Domain Computers'
group, as in:

'adduser -M -u 299 -g 200 fred$'
'pdbedit -a -m fred$'

  Unix username:        fred$
  NT username:
  Account Flags:        [W          ]
  User SID:             S-1-5-21-4211105910-4270789338-3787013593-1598
  Primary Group SID:    S-1-5-21-4211105910-4270789338-3787013593-515

Now, the old machine accounts were created (long) before I set up the
groupmap for 'Domain Computers'.  So, those entries may simply be out of
date.

So... I thought perhaps this should be fixed, but...

'pdbedit -r -u agrotera$ -G 515', produced:

  Unix username:        agrotera$
  NT username:
  Account Flags:        [W          ]
  User SID:             S-1-5-21-4211105910-4270789338-3787013593-1414
  Primary Group SID:    S-1-5-21-4211105910-4270789338-3787013593-513

which is to say, nothing changed and no error or warning message was
given.

Can anyone explain this, please ?

Thanks,

Chris
-- 
Chris Hall   @ Home                                         +44 (0)7970 277 383

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Hall wrote:
> 'pdbedit -r -u agrotera$ -G 515', produced:
> 
>   Unix username:        agrotera$
>   NT username:
>   Account Flags:        [W          ]
>   User SID:             S-1-5-21-4211105910-4270789338-3787013593-1414
>   Primary Group SID:    S-1-5-21-4211105910-4270789338-3787013593-513
> 
> which is to say, nothing changed and no error or warning message was
> given.
I'll remove the -G option today.  But the reported primary group
should reflect the real Unix group membership if in fact that
group has been mapped to a domain group.  So I'd say there's a
bug here in pdbedit.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyyEyIR7qMdg1EfYRAo6qAKDRa5CFl0ddFlSHxRMN/Siw7vpKlgCgjLLm
83ZR2T8vbwjmWHjTBusBDFg=f6j/
-----END PGP SIGNATURE-----

On Thu, 8 Feb 2007 Chris Hall (Chris Hall <chris.hall@halldom.com>) 
wrote
>
>On my Samba PDC, using tdbpass:
tdbsam -- of course.      <blush>
-- 
Chris Hall   @ Home                                         +44 (0)7970 277 383