samba - Nov 2003 - Réf. : Net groupmap fails

Stephanie,
Thank you for your help. I tryed what you suggest but no luck.. I get
this:

root@lnxsrvr2:~# /usr/local/samba/bin/net groupmap add ntgroup="Domain
Admins" unixgroup="Domain Admins" rid=512
Can't lookup UNIX group Domain Admins

Is there something with initial compiling samba 3.0.0 that would disable
this? All the documentation that I've seen makes it look so easy, but I
can't get it to work. 

On Fri, 2003-11-07 at 06:48, stephane.purnelle@corman.be
wrote:
> try /usr/local/samba/bin/net groupmap add ntgroup="Domain
> Admins" unixgroup="Domain Admins" rid=512
> 
> dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> 
> This group is the unix group.
> 
> -----------------------------------
> St?phane PURNELLE                         stephane.purnelle@corman.be
> Service Informatique       Corman S.A.           Tel : 00 32 087/342467
> 
> 
>
>                     "Kent L. Nasveschuk"
<kent@wareham.k12.ma.us>
>                     Envoy? par :                                          
Pour :  Samba List Server <samba@lists.samba.org>
>                     samba-bounces+stephane.purnelle=corman.be@lists       
cc :
>                     .samba.org                                            
Objet :      [Samba] Net groupmap fails
>
>
>                     07/11/2003 12:31
>
>
> 
> 
> 
> 
> I have yet to get group mapping to work in samba 3.0. Getting very
> frustrated.
> 
> I'm using openldap 2.1.23 as the backend database for samba 3.0.0.
I've
> added the base domain groups as posixAccounts to the LDAP database using
> smbldap-populate.pl.
> 
> root@lnxsrvr2:/usr/local/etc/openldap# ldapsearch -xv -b
> "o=30greatneck,dc=home,dc=net"
> 
> # Administrator, Users, 30GreatNeck, home.net
> dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net
> cn: Administrator
> sn: Administrator
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> gidNumber: 512
> uid: Administrator
> uidNumber: 998
> homeDirectory: /accounts
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\Lnxsrv2\accounts
> sambaHomeDrive: H:
> sambaProfilePath: \\Lnxsrv2\profiles\
> sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512
> sambaLMPassword: XXX
> sambaNTPassword: XXX
> sambaAcctFlags: [U          ]
> sambaSID: S-1-5-21-739112995-4084651483-89095900-2996
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
> 
> 
> # nobody, Users, 30GreatNeck, home.net
> dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net
> cn: nobody
> sn: nobody
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> gidNumber: 514
> uid: nobody
> uidNumber: 999
> homeDirectory: /dev/null
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\Lnxsrv2\accounts
> sambaHomeDrive: H:
> sambaProfilePath: \\Lnxsrv2\profiles\
> sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514
> sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaAcctFlags: [NU         ]
> sambaSID: S-1-5-21-739112995-4084651483-89095900-2998
> loginShell: /bin/false
> 
> # Domain Admins, Groups, 30GreatNeck, home.net
> 
> # Domain Admins, Groups, 30GreatNeck, home.net
> dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> description: Netbios Domain Administrators (need smb.conf configuration)
> 
> # Domain Users, Groups, 30GreatNeck, home.net
> dn: cn=Domain Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users (not implemented yet)
> memberUid: kent
> 
> # Domain Guests, Groups, 30GreatNeck, home.net
> dn: cn=Domain Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users (not implemented yet)
> 
> # Administrators, Groups, 30GreatNeck, home.net
> dn: cn=Administrators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the
> computer/sambaDom
>  ainName (not implemented yet)
> 
> # Users, Groups, 30GreatNeck, home.net
> dn: cn=Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 545
> cn: Users
> description: Netbios Domain Ordinary users (not implemented yet)
> 
> # Guests, Groups, 30GreatNeck, home.net
> dn: cn=Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 546
> cn: Guests
> memberUid: nobody
> description: Netbios Domain Users granted guest access to the
> computer/sambaDo
>  mainName (not implemented yet)
> 
> # Power Users, Groups, 30GreatNeck, home.net
> dn: cn=Power Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 547
> cn: Power Users
> description: Netbios Domain Members can share directories and printers
> (not im
>  plemented yet)
> 
> # Account Operators, Groups, 30GreatNeck, home.net
> dn: cn=Account Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 548
> cn: Account Operators
> description: Netbios Domain Users to manipulate users accounts (not
> implemente
>  d yet)
> 
> # Server Operators, Groups, 30GreatNeck, home.net
> dn: cn=Server Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 549
> cn: Server Operators
> description: Netbios Domain Server Operators (need smb.conf
> configuration)
> 
> # Print Operators, Groups, 30GreatNeck, home.net
> dn: cn=Print Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 550
> cn: Print Operators
> description: Netbios Domain Print Operators (need smb.conf
> configuration)
> 
> # Backup Operators, Groups, 30GreatNeck, home.net
> dn: cn=Backup Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 551
> cn: Backup Operators
> description: Netbios Domain Members can bypass file security to back up
> files
>  (not implemented yet)
> 
> # Replicator, Groups, 30GreatNeck, home.net
> dn: cn=Replicator,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 552
> cn: Replicator
> description: Netbios Domain Supports file replication in a
> sambaDomainName (no
>  t implemented yet)
> 
> # Domain Computers, Groups, 30GreatNeck, home.net
> dn: cn=Domain Computers,ou=Groups,o=30GreatNeck,dc=home,dc=net
> objectClass: posixGroup
> gidNumber: 553
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> 
> # 30GREATNECK, 30GreatNeck, home.net
> dn: sambaDomainName=30GREATNECK,o=30GreatNeck,dc=home,dc=net
> sambaDomainName: 30GREATNECK
> sambaSID: S-1-5-21-739112995-4084651483-89095900
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
> 
> 
> /usr/local/src# /usr/local/samba/bin/net groupmap add ntgroup="Domain
> Admins" unixgroup=root rid=512
> adding entry for group Domain Admins failed!
> 
> /usr/local/samba/bin/net groupmap modify ntgroup="Domain Admins"
> unixgroup=root
> NT Group Domain Admins doesn't exist in mapping DB
> 
> I also tryed the above
> 
> I know I need to map Domain Admins to root users to be able to create
> machine accounts for W2k machines.
> 
> What are some reasons for this to fail? I've read a great deal of
> documentation and everything I try fails.
> 
> --
> Kent L. Nasveschuk <kent@wareham.k12.ma.us>
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
Kent L. Nasveschuk <kent@wareham.k12.ma.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kent L. Nasveschuk wrote:

| root@lnxsrvr2:~# /usr/local/samba/bin/net groupmap add ntgroup="Domain
| Admins" unixgroup="Domain Admins" rid=512
| Can't lookup UNIX group Domain Admins
|
| Is there something with initial compiling samba 3.0.0 that would disable
| this? All the documentation that I've seen makes it look so easy, but I
| can't get it to work.

Should work as far as I can tell.  try running

~  net groupmap add ntgroup="Domain Admins" \
~  unixgroup="Domain Admins" rid=512 --debuglevel=10

and see if you get any clues.



cheers, jerry
- --
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop
there."
~                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/q7rgIR7qMdg1EfYRApNLAJ9Vl+zRDF6dcF/ILcLBXx1KUyEniQCg2jm8
awcVVG2Haash31wV5FKIRvo=AzvU
-----END PGP SIGNATURE-----

On Fri, 7 Nov 2003, Kent L. Nasveschuk wrote:
> Stephanie,
> Thank you for your help. I tryed what you suggest but no luck.. I get
> this:
>
> root@lnxsrvr2:~# /usr/local/samba/bin/net groupmap add ntgroup="Domain
> Admins" unixgroup="Domain Admins" rid=512
> Can't lookup UNIX group Domain Admins
>
> Is there something with initial compiling samba 3.0.0 that would disable
> this? All the documentation that I've seen makes it look so easy, but I
> can't get it to work.
No. You need to add scripts that will work on your system for entries
like:

	add machine script
	add user script
	add group script

Here are the minimal entries for my current network configuration:

        add user script = /usr/sbin/useradd -m %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groupadd %g
        add user to group script = /usr/sbin/usermod -G %g %u
      add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

I hope this helps you.

Note: The Linux "groupadd" utility will NOT allow you to add a group
that
has upper case characters or spaces in it!

Cheers,
John T.
>
> On Fri, 2003-11-07 at 06:48, stephane.purnelle@corman.be wrote:
> > try /usr/local/samba/bin/net groupmap add ntgroup="Domain
> > Admins" unixgroup="Domain Admins" rid=512
> >
> > dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> >
> > This group is the unix group.
> >
> > -----------------------------------
> > St?phane PURNELLE                         stephane.purnelle@corman.be
> > Service Informatique       Corman S.A.           Tel : 00 32
087/342467
> >
> >
> >
> >                     "Kent L. Nasveschuk"
<kent@wareham.k12.ma.us>
> >                     Envoy? par :                                      
Pour :  Samba List Server <samba@lists.samba.org>
> >                     samba-bounces+stephane.purnelle=corman.be@lists   
cc :
> >                     .samba.org                                        
Objet :      [Samba] Net groupmap fails
> >
> >
> >                     07/11/2003 12:31
> >
> >
> >
> >
> >
> >
> > I have yet to get group mapping to work in samba 3.0. Getting very
> > frustrated.
> >
> > I'm using openldap 2.1.23 as the backend database for samba 3.0.0.
I've
> > added the base domain groups as posixAccounts to the LDAP database
using
> > smbldap-populate.pl.
> >
> > root@lnxsrvr2:/usr/local/etc/openldap# ldapsearch -xv -b
> > "o=30greatneck,dc=home,dc=net"
> >
> > # Administrator, Users, 30GreatNeck, home.net
> > dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net
> > cn: Administrator
> > sn: Administrator
> > objectClass: inetOrgPerson
> > objectClass: sambaSAMAccount
> > objectClass: posixAccount
> > gidNumber: 512
> > uid: Administrator
> > uidNumber: 998
> > homeDirectory: /accounts
> > sambaPwdLastSet: 0
> > sambaLogonTime: 0
> > sambaLogoffTime: 2147483647
> > sambaKickoffTime: 2147483647
> > sambaPwdCanChange: 0
> > sambaPwdMustChange: 2147483647
> > sambaHomePath: \\Lnxsrv2\accounts
> > sambaHomeDrive: H:
> > sambaProfilePath: \\Lnxsrv2\profiles\
> > sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512
> > sambaLMPassword: XXX
> > sambaNTPassword: XXX
> > sambaAcctFlags: [U          ]
> > sambaSID: S-1-5-21-739112995-4084651483-89095900-2996
> > loginShell: /bin/false
> > gecos: Netbios Domain Administrator
> >
> >
> > # nobody, Users, 30GreatNeck, home.net
> > dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net
> > cn: nobody
> > sn: nobody
> > objectClass: inetOrgPerson
> > objectClass: sambaSAMAccount
> > objectClass: posixAccount
> > gidNumber: 514
> > uid: nobody
> > uidNumber: 999
> > homeDirectory: /dev/null
> > sambaPwdLastSet: 0
> > sambaLogonTime: 0
> > sambaLogoffTime: 2147483647
> > sambaKickoffTime: 2147483647
> > sambaPwdCanChange: 0
> > sambaPwdMustChange: 2147483647
> > sambaHomePath: \\Lnxsrv2\accounts
> > sambaHomeDrive: H:
> > sambaProfilePath: \\Lnxsrv2\profiles\
> > sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514
> > sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> > sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> > sambaAcctFlags: [NU         ]
> > sambaSID: S-1-5-21-739112995-4084651483-89095900-2998
> > loginShell: /bin/false
> >
> > # Domain Admins, Groups, 30GreatNeck, home.net
> >
> > # Domain Admins, Groups, 30GreatNeck, home.net
> > dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 512
> > cn: Domain Admins
> > memberUid: Administrator
> > description: Netbios Domain Administrators (need smb.conf
configuration)
> >
> > # Domain Users, Groups, 30GreatNeck, home.net
> > dn: cn=Domain Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 513
> > cn: Domain Users
> > description: Netbios Domain Users (not implemented yet)
> > memberUid: kent
> >
> > # Domain Guests, Groups, 30GreatNeck, home.net
> > dn: cn=Domain Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 514
> > cn: Domain Guests
> > description: Netbios Domain Guests Users (not implemented yet)
> >
> > # Administrators, Groups, 30GreatNeck, home.net
> > dn: cn=Administrators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 544
> > cn: Administrators
> > description: Netbios Domain Members can fully administer the
> > computer/sambaDom
> >  ainName (not implemented yet)
> >
> > # Users, Groups, 30GreatNeck, home.net
> > dn: cn=Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 545
> > cn: Users
> > description: Netbios Domain Ordinary users (not implemented yet)
> >
> > # Guests, Groups, 30GreatNeck, home.net
> > dn: cn=Guests,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 546
> > cn: Guests
> > memberUid: nobody
> > description: Netbios Domain Users granted guest access to the
> > computer/sambaDo
> >  mainName (not implemented yet)
> >
> > # Power Users, Groups, 30GreatNeck, home.net
> > dn: cn=Power Users,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 547
> > cn: Power Users
> > description: Netbios Domain Members can share directories and printers
> > (not im
> >  plemented yet)
> >
> > # Account Operators, Groups, 30GreatNeck, home.net
> > dn: cn=Account Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 548
> > cn: Account Operators
> > description: Netbios Domain Users to manipulate users accounts (not
> > implemente
> >  d yet)
> >
> > # Server Operators, Groups, 30GreatNeck, home.net
> > dn: cn=Server Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 549
> > cn: Server Operators
> > description: Netbios Domain Server Operators (need smb.conf
> > configuration)
> >
> > # Print Operators, Groups, 30GreatNeck, home.net
> > dn: cn=Print Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 550
> > cn: Print Operators
> > description: Netbios Domain Print Operators (need smb.conf
> > configuration)
> >
> > # Backup Operators, Groups, 30GreatNeck, home.net
> > dn: cn=Backup Operators,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 551
> > cn: Backup Operators
> > description: Netbios Domain Members can bypass file security to back
up
> > files
> >  (not implemented yet)
> >
> > # Replicator, Groups, 30GreatNeck, home.net
> > dn: cn=Replicator,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 552
> > cn: Replicator
> > description: Netbios Domain Supports file replication in a
> > sambaDomainName (no
> >  t implemented yet)
> >
> > # Domain Computers, Groups, 30GreatNeck, home.net
> > dn: cn=Domain Computers,ou=Groups,o=30GreatNeck,dc=home,dc=net
> > objectClass: posixGroup
> > gidNumber: 553
> > cn: Domain Computers
> > description: Netbios Domain Computers accounts
> >
> > # 30GREATNECK, 30GreatNeck, home.net
> > dn: sambaDomainName=30GREATNECK,o=30GreatNeck,dc=home,dc=net
> > sambaDomainName: 30GREATNECK
> > sambaSID: S-1-5-21-739112995-4084651483-89095900
> > sambaAlgorithmicRidBase: 1000
> > objectClass: sambaDomain
> >
> >
> > /usr/local/src# /usr/local/samba/bin/net groupmap add
ntgroup="Domain
> > Admins" unixgroup=root rid=512
> > adding entry for group Domain Admins failed!
> >
> > /usr/local/samba/bin/net groupmap modify ntgroup="Domain
Admins"
> > unixgroup=root
> > NT Group Domain Admins doesn't exist in mapping DB
> >
> > I also tryed the above
> >
> > I know I need to map Domain Admins to root users to be able to create
> > machine accounts for W2k machines.
> >
> > What are some reasons for this to fail? I've read a great deal of
> > documentation and everything I try fails.
> >
> > --
> > Kent L. Nasveschuk <kent@wareham.k12.ma.us>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> >
>
-- 
John H Terpstra
Email: jht@samba.org