thr3ads.net - samba - [Samba] Fwd: Re: Can't add users to well known groups... [Sep 2011]

If this information is useful, please help other people find it:
Share via:
François Legal
2011-Sep-12 13:52 UTC
[Samba] Fwd: Re: Can't add users to well known groups...

Forgot to CC the list. 

-------- Original Message --------


		SUBJECT:
 		Re: [Samba] Can't add users to well known
groups...

		DATE:
 		Mon, 12 Sep 2011 15:51:31 +0200

		FROM:

		Fran?ois Legal 

		TO:
 		Linda Walsh 

Not sure if this is relevant,
but if (first case shown down here) "Domain Admins" is not so much a
group but a map to unix group, I'm not surprised that you can't add
users to this using sambe. I would rather use /etc/group or whatever to
add users to the unix group mapped. 

Fran?ois 

On Sat, 10 Sep 2011
12:08:32 -0700, Linda Walsh wrote: 
> Harry Jede wrote:
> 
>> On
15:48:09 wrote Linda Walsh: >> 
>>> I created the well known groupDomain Admins pointing to a local group, but I am not able to add users
to the group -- it claims I can only add users to local or global
groups... But I only see local, domain ,well-known, builtin. There are
no global groups unless one would include all groups that are not local
(i.e. domain, well-known, and builtin).... So why doesn't it want to let
me add to my domain admins group when it is defined as a well known
group (which it is, according to MS)...>> Nobody may be able to answeryour questions, if you dont give us some background information!
something like: which samba version which sam, ldapsam or tdbsam do you
use winbind your global section of samba conf the commands you have used
which well knwon groups you have cureently ---> 
> Sorry...
> running
with latest 3.5.x: 3.5.11 as of this writing.> Using Tdb & winbind.
>Since I as having problems with Domain Admins, tried
deleting> it andrecreating it as a domain group (so it doesn't show, below, as
a> 'wellknown group, but a domain group (even though it should be
both)).>
--------------> 
>> sudo net -l groupmap list
> 
> Domain Users
> SID :
S-1-5-21-33333-77777-33333-513> Unix gid : 513
> Unix group: Domain
Users> Group type: Well-known Group
> Comment : Wellknown Unix group
>
man> SID : S-1-5-21-33333-77777-33333-1028
> Unix gid : 62
> Unix
group: man> Group type: Domain Group
> Comment : Unix Group man
>
Domain Controllers> SID : S-1-5-21-33333-77777-33333-516
> Unix gid :
516> Unix group: Domain Controllers
> Group type: Well-known Group
>
Comment : Wellknown Unix group> Backup Operators
> SID : S-1-5-32-551
>
Unix gid : 551> Unix group: Backup Operators
> Group type: Well-known
Group> Comment : Wellknown Unix group
> Power Users
> SID :
S-1-5-32-547> Unix gid : 547
> Unix group: Power Users
> Group type:
Well-known Group> Comment : Wellknown Unix group
> Cert Publishers
>
SID : S-1-5-21-33333-77777-33333-517> Unix gid : 517
> Unix group: Cert
Publishers> Group type: Well-known Group
> Comment : Wellknown Unix
group> Replicators
> SID : S-1-5-32-552
> Unix gid : 552
> Unix group:
Replicators> Group type: Well-known Group
> Comment : Wellknown Unix
group> Domain Admins
> SID : S-1-5-21-33333-77777-33333-544
> Unix gid
: 512> Unix group: Domain Admins
> Group type: Domain Group
> Comment :
Domain Unix group> Juno
> SID : S-1-5-21-33333-77777-33333-1005
> Unix
gid : 231> Unix group: Juno
> Group type: Domain Group
> Comment : Juno
Printer Group> media
> SID : S-1-5-21-33333-77777-33333-1017
> Unix gid
: 20001> Unix group: media
> Group type: Domain Group
> Comment : Unix
Group media> Administrators
> SID : S-1-5-32-544
> Unix gid : 544
>
Unix group: Administrators> Group type: Well-known Group
> Comment :
Wellknown Unix group> Domain Guests
> SID :
S-1-5-21-33333-77777-33333-514> Unix gid : 514
> Unix group: Domain
Guests> Group type: Well-known Group
> Comment : Wellknown Unix group
>
Trusted Local Net Users> SID : S-1-5-21-33333-77777-33333-50002
> Unix
gid : 50002> Unix group: trusted_local_net_users
> Group type: Domain
Group> Comment : Trusted Local Net Users
> Account Operators
> SID :
S-1-5-32-548> Unix gid : 548
> Unix group: Account Operators
> Group
type: Well-known Group> Comment : Wellknown Unix group
> Schema
Admins> SID : S-1-5-21-33333-77777-33333-518
> Unix gid : 518
> Unix
group: Schema Admins> Group type: Well-known Group
> Comment :
Wellknown Unix group> RAS Servers
> SID : S-1-5-32-553
> Unix gid :
10123> Unix group: BUILTINras servers
> Group type: Local Group
>
Comment :> scan
> SID : S-1-5-21-33333-77777-33333-1006
> Unix gid :
232> Unix group: scan
> Group type: Local Group
> Comment : Local Unix
group> Users
> SID : S-1-5-32-545
> Unix gid : 10000
> Unix group:
BUILTINusers> Group type: Local Group
> Comment :
> Domain Computers
>
SID : S-1-5-21-33333-77777-33333-515> Unix gid : 515
> Unix group:
Domain Computers> Group type: Well-known Group
> Comment : Wellknown
Unix group> Domain Administrator
> SID :
S-1-5-21-33333-77777-33333-500> Unix gid : 500
> Unix group: Domain
Administrator> Group type: Well-known Group
> Comment : Wellknown Unix
group> Print Operators
> SID : S-1-5-32-550
> Unix gid : 550
> Unix
group: Print Operators> Group type: Well-known Group
> Comment :
Wellknown Unix group> Guests
> SID : S-1-5-32-546
> Unix gid : 546
>
Unix group: Guests> Group type: Well-known Group
> Comment : Wellknown
Unix group> Group Policy Creator Owners
> SID :
S-1-5-21-33333-77777-33333-520> Unix gid : 520
> Unix group: Group
Policy Creator Owners> Group type: Well-known Group
> Comment :
Wellknown Unix group> Domain Guest
> SID :
S-1-5-21-33333-77777-33333-501> Unix gid : 501
> Unix group: Domain
Guest> Group type: Well-known Group
> Comment : Wellknown Unix group
>
Enterprise Admins> SID : S-1-5-21-33333-77777-33333-519
> Unix gid :
519> Unix group: Enterprise Admins
> Group type: Well-known Group
>
Comment : Wellknown Unix group> lawgroup
> SID :
S-1-5-21-33333-77777-33333-61008> Unix gid : 201
> Unix group:
lawgroup> Group type: Domain Group
> Comment : Domain Unix group
>
-----> In the "well known SID's, some are supposed to be PER-Domain
SIDS> (thus they have the 3-7-3 pattern, while others (like Print
Operators) have> fixed numbers (not in domain)...thus the differences
in the SID's above).> I referred tohttp://support.microsoft.com/kb/243330 [1] as a reference
in> setting
up the above so any mistakes are my own (as usual!))....> 
> As you cansee most of the groups above are 'well known groups -- as
they> are
defined by MS'...> 
> =--
> Commands used - various:
> Sample:
> # net
rpc group addmem 'Domain Users' law> Enter root's password:
> Can onlyadd members to global or local groups which Domain Users is
not> ----
>
But now with Domain Admins as a NT group, I get:> # net rpc group
addmem 'Domain Admins' law> Enter root's password:
> Could not add law
to Domain Admins: NT_STATUS_ACCESS_DENIED> ---------------
> 
> Global
section:> # Samba config file hand created - alphabetized restored from
SWAT damage> 
> [global]
> 
> add user script = /usr/sbin/useradd -m
%u> add group script = /usr/sbin/groupadd %g
> add machine script /usr/sbin/useradd -g machines -c Machine -d 
> /dev/null -s /bin/false
%u> aio read size = 16384
> aio write size = 16384
> allocation roundup
size = 4096> bind interfaces only = Yes
> block size = 4096
> client
managed wide links = yes> create mask = 03775
> debug class = yes
>
debug hires timestamp = no> debug prefix timestamp = no
> delete user
script = /usr/sbin/userdel %u> delete group script = /usr/sbin/groupdel
%g> display charset = UTF-8
> domain logons = Yes
> domain master Yes
> ea support = Yes
> enable core files = yes
> force create mode 0660
> force directory mode = 0770
> guest account = guest
> idmap
backend = tdb> idmap config * : range = 0 - 100000
> idmap config * :
base_rid=0> idmap uid=15000-20000
> idmap gid=10000-14000
> interfaces
= eth0,lo> log file = /var/log/samba/log-%D.%m
> log level = 1 tdb:1
smb:1 idmap:1 winbind:1> logon path = \%D%Uprofile
> logon drive = i:
>
logon home = \%D%U> lpq command = lpq -P'%p'
> lprm command = lprm
-P'%p' %j> max xmit = 1048576
> min receivefile size = 16384
> name
resolve order = lmhosts host wins bcast> netbios name = Ishtar
>
netbios aliases = Bliss> os level = 65
> passdb backend tdbsam:/etc/samba/.internals/passwd.tdb
> passwd program /usr/bin/passwd '%u'
> password server = localhost
> preferred master Yes
> printing = bsd
> print command = lpr -r -P'%p' %s
>
rpc_server:epmapper = daemon> server string = Bliss on %h running Samba
%v> set primary group script = /usr/sbin/usermod -g '%g' '%u'
> show
add printer wizard = No> smb encrypt = disabled
> socket options TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4194304 
> SO_RCVBUF=4194304
>
#store dos attributes = yes> state directory = /etc/samba/.internals
>
#strict allocate = yes ;not useful for my domain> time server = Yes
>
unix extensions = Yes> unix password sync = Yes
> use sendfile = Yes
>
username map = /etc/samba/smbusers> wide links = yes
> winbind enum
groups = Yes> winbind enum users = Yes
> wins support = Yes
> workgroup
= Bliss> write cache size = 655360
> 
> [netlogon]
> path /home/%D/%U
> guest ok = Yes
> follow symlinks = yes
> wide links yes
> write list = +Administrators, root, law
> csc policy = disable
>
> [public]
> comment = public include files
> guest ok = Yes
> acl
group control = yes> inherit acls = yes
> follow symlinks = yes
> wide
links = yes> path = /home/%D/public
> read only = Yes
> write list +Administrators
> 
> [homes]
> acl group control = yes
> store dos
attributes = yes> comment = hdir, u=%u, U=%U, S=%S, D=%D, w=%w, H=%H
p=%p> create mask = 0751
> follow symlinks = yes
> inherit acls = yes
>
map acl inherit = yes> path = /home/%D/%u
> read only = no
> validusers = %S, %D%w%S, +Domain Admins, +Administrators,
+wheel> wide links
= yes> vfs objects = recycle, readahead, shadow_copy2
>
readahead:length = 512K> recycle: keeptree = true
> shadow:snapdir /home/snapdir
> shadow:basedir = /home
> 
> [servhome]
> acl group
control = yes> map acl inherit = yes
> store dos attributes = yes
>
inherit acls = yes> comment = shomedir u=%u, U=%U, s=%S, d=%D, w=%w
>
follow symlinks = yes> path = /home/%U
> read only = no
> create mask 0751
> vfs objects = recycle, readahead
> vfs objects = recycle,
readahead, shadow_copy2> wide links = yes
> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir> shadow:basedir = /home
> 
> [scans]
>
comment = Juno scans> acl group control = yes
> store dos attributes yes
> map acl inherit = yes
> inherit acls = yes
> follow symlinks yes
> wide links = yes
> path = /home/scan
> valid users +trusted_local_net_users
> write list = law, Juno
> recycle: keeptree true
> 
> [home]
> acl group control = yes
> store dos attributes yes
> map acl inherit = yes
> inherit acls = yes
> comment = Home-star
(allhomes)> follow symlinks = yes
> read only = no
> wide links = yes
>
path = /home> valid users = +trusted_local_net_users,%U,%S, %D%w%S
>
write list = %U, +Administrators, +Domain Admins> vfs objects recycle, readahead, shadow_copy2
> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir> shadow:basedir = /home
> 
>
[Pictures]> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes> inherit acls = yes
> comment = Domain User's Home
Pictures> follow symlinks = yes
> wide links = yes
> path /home/%D/Documents/%U/Pictures
> read only = no
> valid users = %D%U,
+Administrators> write list = %U, +Administrators, +Domain Admins
> vfs
objects = recycle, readahead, shadow_copy2> recycle: keeptree = true
>
shadow:snapdir = /home/snapdir> shadow:basedir = /home
> 
>
[Documents]> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes> inherit acls = yes
> comment = Domain User's Home
Documents> follow symlinks = yes
> wide links = yes
> path /home/%D/Documents/%U
> read only = no
> write list = %U,
+Administrators, +Domain Admins> valid users = %D%U, Administrators
>
vfs objects = recycle, readahead, shadow_copy2> recycle: keeptree true
> shadow:snapdir = /home/snapdir
> shadow:basedir = /home
> 
>
[Windows]> acl group control = yes
> store dos attributes = yes
> map
acl inherit = yes> inherit acls = yes
> comment = C:Windows (Athenae in
/home/C:Windows)> path = /home/C:Windows
> follow symlinks = yes
> wide
links = yes> read list = law, +wheel, root, +Administrators, +Domain
Admins> read only = Yes
> create mask = 0755
> vfs objects readahead
> 
> [backup]
> acl group control = yes
> store dos attributes
= yes> map acl inherit = yes
> inherit acls = yes
> follow symlinks yes
> wide links = yes
> comment = Host backup-dirs (M=%M, m=%m P=%P
S=%S I=%I, u=%u, U=%U)> path = /backups/%m
> write list +Administrators, law, +Power Users, root, +Domain 
> Admins, +Backup
Operators> vfs objects = readahead
> 
> [backups_by_user]
> acl group
control = yes> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes> comment = User backup dirs
> follow symlinks yes
> wide links = yes
> path = /backups/%u
> write list +Administrators, law, +Power Users, root, +Domain 
> Admins,
+Administrators, +Backup Operators> 
> [backups_athenae]
> acl group
control = yes> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes> follow symlinks = yes
> wide links = yes
> comment
= Athenae Recovery> path = /backups/athenae
> guest ok = yes
> write
list = +Administrators, law, root, +Backup Operators> 
> [usr_share]
>
acl group control = yes> store dos attributes = yes
> map acl inherit yes
> inherit acls = yes
> comment = /usr/share
> follow symlinks yes
> wide links = yes
> path = /usr/share
> write list = law
> vfs
objects = readahead> recycle: keeptree = true
> 
> [usr_share_doc]
>
acl group control = yes> store dos attributes = yes
> map acl inherit yes
> inherit acls = yes
> comment = /usr/share/doc
> follow symlinks yes
> wide links = yes
> path = /usr/share/doc
> write list = law
> vfs
objects = readahead> recycle: keeptree = true
> 
> [suse11.3]
> acl
group control = yes> store dos attributes = yes
> map acl inherit yes
> inherit acls = yes
> comment = suse11.3 repository
> follow
symlinks = yes> wide links = yes
> path = /suse11.3
> read only = yes
>
vfs objects = readahead> guest ok = yes
> 
> [Audio]
> acl group
control = yes> store dos attributes = yes
> map acl inherit = yes
>
inherit acls = yes> comment = Audio Data
> follow symlinks = yes
> wide
links = yes> path = /Share/Audio
> read only = no
> vfs objects readahead
> write list = law
> guest ok = Yes
> vfs objects = recycle,
readahead> recycle: keeptree = true
> 
> [Music]
> acl group control yes
> store dos attributes = yes
> guest ok = Yes
> map acl inherit yes
> inherit acls = yes
> read only = no
> follow symlinks = yes
> wide
links = yes> comment = Shared Music
> path = /Share/Music
> read list +Users
> read only = no
> write list = law, +trusted_local_net_users,
+wheel, +Domain Admins> vfs objects = recycle, notify_fam, readahead
>
recycle: keeptree = true> 
> [Share]
> acl group control = yes
> store
dos attributes = yes> guest ok = Yes
> map acl inherit = yes
> inherit
acls = yes> follow symlinks = yes
> wide links = yes
> comment Share
> path = /Share
> read only = no
> read list = +Users,
+trusted_local_net_users, +Domain Admins, > +Administrators
> write
list = law, +Administrators> vfs objects = recycle, readahead
>recycle: keeptree = true

  

Links:
------
[1]
http://support.microsoft.com/kb/243330
Apparently Analagous Threads

Search for more apparently analagous threads
samba - Sep 2011 - Fwd: Re: Can't add users to well known groups...

[Samba] Fwd: Re: Can't add users to well known groups...

Apparently Analagous Threads

Wisdom of the Ancients
