Hello everyone!
I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7), and
made a
PDC configuration with Windows XP Pro clients. Everything works fine,
however, I'm fine tuning the NT and Unix group mapping; in particular, I
want to map the Unix group 'users' to the NT group 'Power
Users'.
I've tried:
net groupmap modify ntgroup="Power Users" unixgroup=users
with no success.
If I do, however
net groupmap modify ntgroup="Domain Admins" unixgroup=users
users are granted admin privileges
I've read the groupmapping chapter of the howto collection
(http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou
pmapping) and still got no clue (If anyone can point me to a more detailed
document by all means do so).
Here's my `net groupmap list`:
System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1
Power Users (S-1-5-32-547) -> users
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
And my smb.conf:
[global]
netbios name = Natsumi
server string = Linux Server
workgroup = BoogerSoft
passdb backend = smbpasswd
hosts allow = 192.168.0. 127.0.0.1
;act as domain and master browser
os level = 64
preferred master = yes
domain master = yes
local master = yes
security = user
encrypt passwords = yes
domain logons = yes
;if this causes problems change it to \\%N\profile\%U
logon path = \\%N\%U\profile
logon drive = H:
;for win9x clients
;logon home = \\%N\%U\profile
;logon script, relative to the [netlogon] share
logon script = logon.cmd
;neither of these seem to work with 3.0
;client code page = 850
;character set = ISO8859-1
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = ntadmin
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
And I am getting this in log.smbd when I do the "Power User" thing:
[2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710)
_net_sam_logon: user BOOGERSOFT\boogerman has user sid
S-1-5-21-1734957725-2317673715-2873464621-3000
but group sid S-1-5-32-547.
The conflicting domain portions are not supported for NETLOGON calls
And also this:
[2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362)
get_domain_user_groups: primary gid of user [boogerman] is not a Domain
group!
get_domain_user_groups: You should fix it, NT doesn't like that
(I don't fully understand the messages, so any explanations will be
appreciated)
Well, that's too much, probably I got everything missconfigured (hey, after
all, it's my first PDC with 3.0). I hope someone will be able to help me
figure this one out...
We just went over this in depth on this list, please check the archives from the last two weeks, search for power user. On Wed, 2003-07-30 at 18:35, Boogerman wrote:> Hello everyone! > > I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7), and made a > PDC configuration with Windows XP Pro clients. Everything works fine, > however, I'm fine tuning the NT and Unix group mapping; in particular, I > want to map the Unix group 'users' to the NT group 'Power Users'. > > I've tried: > net groupmap modify ntgroup="Power Users" unixgroup=users > with no success. > If I do, however > net groupmap modify ntgroup="Domain Admins" unixgroup=users > users are granted admin privileges > > I've read the groupmapping chapter of the howto collection > (http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou > pmapping) and still got no clue (If anyone can point me to a more detailed > document by all means do so). > > Here's my `net groupmap list`: > > System Operators (S-1-5-32-549) -> -1 > Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1 > Power Users (S-1-5-32-547) -> users > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > > And my smb.conf: > > [global] > netbios name = Natsumi > server string = Linux Server > workgroup = BoogerSoft > passdb backend = smbpasswd > > hosts allow = 192.168.0. 127.0.0.1 > > ;act as domain and master browser > os level = 64 > preferred master = yes > domain master = yes > local master = yes > > security = user > > encrypt passwords = yes > > domain logons = yes > > ;if this causes problems change it to \\%N\profile\%U > logon path = \\%N\%U\profile > logon drive = H: > > ;for win9x clients > ;logon home = \\%N\%U\profile > > ;logon script, relative to the [netlogon] share > logon script = logon.cmd > > ;neither of these seem to work with 3.0 > ;client code page = 850 > ;character set = ISO8859-1 > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/lib/netlogon > read only = yes > write list = ntadmin > > [homes] > comment = Home Directories > browseable = no > writable = yes > create mask = 0600 > directory mask = 0700 > > And I am getting this in log.smbd when I do the "Power User" thing: > [2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710) > _net_sam_logon: user BOOGERSOFT\boogerman has user sid > S-1-5-21-1734957725-2317673715-2873464621-3000 > but group sid S-1-5-32-547. > The conflicting domain portions are not supported for NETLOGON calls > > And also this: > [2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362) > get_domain_user_groups: primary gid of user [boogerman] is not a Domain > group! > get_domain_user_groups: You should fix it, NT doesn't like that > > (I don't fully understand the messages, so any explanations will be > appreciated) > > Well, that's too much, probably I got everything missconfigured (hey, after > all, it's my first PDC with 3.0). I hope someone will be able to help me > figure this one out...-- George Farris farrisg@mala.bc.ca Computer Support Cowichan.
I found the solution. If anyone is interested, what I did is:
Create a Domain group in the SAMBA machine with:
net groupmap add sid={lastsid+1} ntgroup="Domain Power Users"
unixgroup=users type=domain
Then, as admin in the XP client, in "MMC/Local Users and
Groups/Groups/Power
Users" I added "{MYDOMAIN}\Domain Power Users".
So this added the domain group Domain Power Users (wich was mapped to the
unix group users) to the local Power Users group.
I hope this helps someone out there...
Boogerman
----- Original Message -----
From: "Boogerman" <boogerman@interar.com.ar>
To: <samba@lists.samba.org>
Sent: Wednesday, July 30, 2003 10:35 PM
Subject: 3.0 beta 3 - NT and Unix group mapping
> Hello everyone!
>
> I've been testing the 3.0 beta 3 (I've just upgraded from 2.2.7),
and made
a> PDC configuration with Windows XP Pro clients. Everything works fine,
> however, I'm fine tuning the NT and Unix group mapping; in particular,
I
> want to map the Unix group 'users' to the NT group 'Power
Users'.
>
> I've tried:
> net groupmap modify ntgroup="Power Users" unixgroup=users
> with no success.
> If I do, however
> net groupmap modify ntgroup="Domain Admins" unixgroup=users
> users are granted admin privileges
>
> I've read the groupmapping chapter of the howto collection
>
(http://us1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#grou> pmapping) and still got no clue (If anyone can point me to a more detailed
> document by all means do so).
>
> Here's my `net groupmap list`:
>
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-1734957725-2317673715-2873464621-512) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-1734957725-2317673715-2873464621-514) -> -1
> Power Users (S-1-5-32-547) -> users
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Users (S-1-5-21-1734957725-2317673715-2873464621-513) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> And my smb.conf:
>
> [global]
> netbios name = Natsumi
> server string = Linux Server
> workgroup = BoogerSoft
> passdb backend = smbpasswd
>
> hosts allow = 192.168.0. 127.0.0.1
>
> ;act as domain and master browser
> os level = 64
> preferred master = yes
> domain master = yes
> local master = yes
>
> security = user
>
> encrypt passwords = yes
>
> domain logons = yes
>
> ;if this causes problems change it to \\%N\profile\%U
> logon path = \\%N\%U\profile
> logon drive = H:
>
> ;for win9x clients
> ;logon home = \\%N\%U\profile
>
> ;logon script, relative to the [netlogon] share
> logon script = logon.cmd
>
> ;neither of these seem to work with 3.0
> ;client code page = 850
> ;character set = ISO8859-1
>
> [netlogon]
> comment = Network Logon Service
> path = /usr/local/samba/lib/netlogon
> read only = yes
> write list = ntadmin
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> create mask = 0600
> directory mask = 0700
>
> And I am getting this in log.smbd when I do the "Power User"
thing:
> [2003/07/30 21:25:53, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(710)
> _net_sam_logon: user BOOGERSOFT\boogerman has user sid
> S-1-5-21-1734957725-2317673715-2873464621-3000
> but group sid S-1-5-32-547.
> The conflicting domain portions are not supported for NETLOGON calls
>
> And also this:
> [2003/07/30 21:33:43, 0] rpc_server/srv_util.c:get_domain_user_groups(362)
> get_domain_user_groups: primary gid of user [boogerman] is not a Domain
> group!
> get_domain_user_groups: You should fix it, NT doesn't like that
>
> (I don't fully understand the messages, so any explanations will be
> appreciated)
>
> Well, that's too much, probably I got everything missconfigured (hey,
after> all, it's my first PDC with 3.0). I hope someone will be able to help
me
> figure this one out...
>
Friday, August 1, 2003, 5:25:44 AM, Boogerman wrote:> I found the solution. If anyone is interested, what I did is:> Create a Domain group in the SAMBA machine with: > net groupmap add sid={lastsid+1} ntgroup="Domain Power Users" > unixgroup=users type=domain> Then, as admin in the XP client, in "MMC/Local Users and Groups/Groups/Power > Users" I added "{MYDOMAIN}\Domain Power Users".> So this added the domain group Domain Power Users (wich was mapped to the > unix group users) to the local Power Users group.> I hope this helps someone out there...Yes, but you have to come to every ws then. --beast
On Fri, 1 Aug 2003, Beast wrote:> Friday, August 1, 2003, 5:25:44 AM, Boogerman wrote: > > > I found the solution. If anyone is interested, what I did is: > > > Create a Domain group in the SAMBA machine with: > > net groupmap add sid={lastsid+1} ntgroup="Domain Power Users" > > unixgroup=users type=domain > > > Then, as admin in the XP client, in "MMC/Local Users and Groups/Groups/Power > > Users" I added "{MYDOMAIN}\Domain Power Users". > > > So this added the domain group Domain Power Users (wich was mapped to the > > unix group users) to the local Power Users group. > > > I hope this helps someone out there... > > Yes, but you have to come to every ws then.Correct. How else would you do this? How do you do this with an MS Windows 2000 Server environment? - John T. -- John H Terpstra Email: jht@samba.org
You are so right. Better solutions are welcome :^) Boogerman ----- Original Message ----- From: "Beast" <beast@setuid.com> To: "Boogerman" <boogerman@interar.com.ar> Cc: <samba@lists.samba.org> Sent: Friday, August 01, 2003 1:44 AM Subject: Re: [Samba] Re: 3.0 beta 3 - NT and Unix group mapping> Friday, August 1, 2003, 5:25:44 AM, Boogerman wrote: > > > I found the solution. If anyone is interested, what I did is: > > > Create a Domain group in the SAMBA machine with: > > net groupmap add sid={lastsid+1} ntgroup="Domain Power Users" > > unixgroup=users type=domain > > > Then, as admin in the XP client, in "MMC/Local Users andGroups/Groups/Power> > Users" I added "{MYDOMAIN}\Domain Power Users". > > > So this added the domain group Domain Power Users (wich was mapped tothe> > unix group users) to the local Power Users group. > > > I hope this helps someone out there... > > Yes, but you have to come to every ws then. > > --beast > > >