David van Geyn
2003-Sep-27 02:02 UTC
[Samba] After Upgrading to rc4 (and still with 3.0.0) having Groupmap problems.
Hi, Before Samba 3.0.0 RC4 I was running Samba 3.0.0 beta3, and when I upgraded to RC4, I began having problems with group mappings. I didn't notice at first, because on my laptop I don't normally log on to the domain. I just noticed when I tried to use my desktop and log on to the domain... I don't have Domain Admin privileges. So, I look at 'net groupmap list' ... and it shows the Domain Admins group as mapped to the unix group domadm. Looks good, right? Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> domadm Next I tried deleting that groupmap by using 'net groupmap delete sid=S-1-5-21-347...........' Now the groupmap was deleted and now shows this: Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> -1 So now I try to re-add it: 'net groupmap add ntgroup="Domain Admins" unixgroup=domadm' and list it again. Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> -1 Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-2161) -> domadm Now there are two Domain Admin mappings, one null (-1) and the new one I just created. As far as I know, that new one should have gone to the one with RID of 512. I checked to be sure, but NT/2000 is definitely looking for the old Domain Admins group with RID of 512, and the Samba PDF doc says Domain Admins should have an RID of 512. So, I tried to add a groupmap with that SID specifically. net groupmap add sid=S-1-5-21-3475858016-1413099138-3485012925-512 unixgroup=domadm And I get this response: adding entry for group domadm failed! So then I try: net groupmap add sid=S-1-5-21-3475858016-1413099138-3485012925-512 ntgroup="Domain Admins" unixgroup=domadm And get the same: adding entry for group Domain Admins failed! ---- I have run out of ideas for getting my groupmap working, but it is becoming very strange to log on to PC's and not have Domain Admin privileges. Hopefully there is an easy fix for this. Anyone have any ideas? If you need any more information, please ask. Thanks in advance, David van Geyn
John H Terpstra
2003-Sep-27 05:45 UTC
[Samba] After Upgrading to rc4 (and still with 3.0.0) having Groupmap problems.
On Fri, 26 Sep 2003, David van Geyn wrote:> Hi, > > Before Samba 3.0.0 RC4 I was running Samba 3.0.0 beta3, and when I > upgraded to RC4, I began having problems with group mappings. I didn't > notice at first, because on my laptop I don't normally log on to the > domain. I just noticed when I tried to use my desktop and log on to the > domain... I don't have Domain Admin privileges. > > So, I look at 'net groupmap list' ... and it shows the Domain Admins group > as mapped to the unix group domadm. Looks good, right? > > Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> domadm > > Next I tried deleting that groupmap by using 'net groupmap delete > sid=S-1-5-21-347...........' Now the groupmap was deleted and now shows > this: > > Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> -1 > > So now I try to re-add it: 'net groupmap add ntgroup="Domain Admins" > unixgroup=domadm' and list it again. > > Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-512) -> -1 > Domain Admins (S-1-5-21-3475858016-1413099138-3485012925-2161) -> domadm > > Now there are two Domain Admin mappings, one null (-1) and the new one I > just created. As far as I know, that new one should have gone to the one > with RID of 512. I checked to be sure, but NT/2000 is definitely looking > for the old Domain Admins group with RID of 512, and the Samba PDF doc > says Domain Admins should have an RID of 512. > > So, I tried to add a groupmap with that SID specifically. > > net groupmap add sid=S-1-5-21-3475858016-1413099138-3485012925-512 > unixgroup=domadmTo change an existing entry: net groupmap modify ntgroup="Domain Admins" unixgroup=root To delete the spurious entry: net groupmap delete ntgroup="Domain Admins" unixgroup=domadm - John T.> > And I get this response: > > adding entry for group domadm failed! > > So then I try: > > net groupmap add sid=S-1-5-21-3475858016-1413099138-3485012925-512 > ntgroup="Domain Admins" unixgroup=domadm > > And get the same: > > adding entry for group Domain Admins failed! > > > ---- I have run out of ideas for getting my groupmap working, but it is > becoming very strange to log on to PC's and not have Domain Admin > privileges. Hopefully there is an easy fix for this. > > Anyone have any ideas? If you need any more information, please ask. > > Thanks in advance, > > David van Geyn >-- John H Terpstra Email: jht@samba.org