I am running 3.0.10-1.4E on RHEL4. The machine is a ADS member server. I would like to statically map the ADS group "Domain Admins" to the built in "wheel" group so all members of "Domain Admins" are in the "wheel" group. I have looked at the username map option, but I don't want a group of users mapped to a UID (this would defeat what I am trying to do in using the wheel group). I suppose it would be possible to write a script that would enum the ADS "Domain Admins" group and add the users to the "wheel" group every X minutes/hours.... Am I missing something? Any thoughts on the best way to do this? Thanks, Noal
Gerald (Jerry) Carter
2005-Feb-25 20:19 UTC
[Samba] Winbind - how to map ADS group to Unix group
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miles, Noal wrote: | I am running 3.0.10-1.4E on RHEL4. The machine is | a ADS member server. I would like to statically | map the ADS group "Domain Admins" to the built in | "wheel" group so all members of "Domain Admins" | are in the "wheel" group. Look at the 'winbind nested group' options in smb.conf. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4C6IR7qMdg1EfYRAsduAJwNIagA8CUtJysSgb/AS5cDS3eqJQCg3WV/ ugLJWhgpTukzAzuAKNIfja4=CZvc -----END PGP SIGNATURE-----
OK I set "winbind nested group = yes" option in smb.conf. Still can't quite get it to work. The only doc I can find says net rpc group add wheel -L (why would I add this group, it is built in *nix group?) net rpc group addmem wheel "DOM\Domain Admins" I don't even have smbd running, only winbind. The "wheel" group is a built in Unix group. When I issue this command as the root account on the box the winbind log says user 'root' does not exist. When I issue the command as an ADS account the command returns "could not connect to server 127.0.0.1" Am I missing something? Thanks, Noal -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, February 25, 2005 1:47 PM To: Miles, Noal Cc: 'samba@lists.samba.org' Subject: Re: [Samba] Winbind - how to map ADS group to Unix group -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miles, Noal wrote: | I am running 3.0.10-1.4E on RHEL4. The machine is | a ADS member server. I would like to statically | map the ADS group "Domain Admins" to the built in | "wheel" group so all members of "Domain Admins" | are in the "wheel" group. Look at the 'winbind nested group' options in smb.conf. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4C6IR7qMdg1EfYRAsduAJwNIagA8CUtJysSgb/AS5cDS3eqJQCg3WV/ ugLJWhgpTukzAzuAKNIfja4=CZvc -----END PGP SIGNATURE-----
Winbind is configured for ads.
I want "Domain\Domain Users" to be members of local linux group
"test2".
I created a local group on the linux box:
Groupadd -u 502 test2
I have tried net groupmap addmem, it tells me the syntax is
Net groupmap addmem alias-sid member-sid
There is no SID for test2 so how can I use "net groupmap addmem"?
Wbinfo -G 502
Cannot convert gid 502 to sid
Net groupmap add ntgroup="Domain\Domain Users" unixgroup=test2
Successfully added group "Domain\Domain Users" to the mapping db
Getent group test2
Test2:x:502:
So this doesn't work either.
I have also tried username map in smb.conf with no success.
I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Miles, Noal wrote:
| OK I set "winbind nested group = yes"
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=/mab
-----END PGP SIGNATURE-----
After much experimentation I think I can better frame this problem. I
wanted to be able to map an ADS domain group to a local Unix group. I also
wanted to be able to map ADS domain groups/accounts to ROOT. For instance I
wanted all members of the ADS group Domain Admins to map to ROOT. My Linux
box was joined to the ADS domian but is not running smbd. Only winbindd is
running.
After experimenting with suggestions to use:
net groupmap
username map
I have come to the conclussion that these approaches only work for
interaction with smbd and don't help when all that is running is winbindd.
It seems to me these approaches work for controlling resources exposed via
(smbd).
I am running only winbindd because at this point I am not concerned with
sharing resources but more concerned with Single Sign On with ADS groups
mapped to having rights on Linux boxes.
So this is what I have learned. Running winbindd only:
use "gpasswd -a "DOM\Account" unixgroup" will add a ADS
domain account to a
local *nix group
setting "winbind trusted domains only = yes" and then creating each
domain
account locally I can make a domain admin account = ROOT, but of course this
means I have to create each account locally which is no fun (I think this is
what Choudary Mumtaz was proposing).
THE QUESTION: I think at this point I may be trying to make winbindd work
in a way it wasn't really designed to. As a next step I was thinking of
trying to edit the winbind DB and manually set the GID of Domain Admins to 0
or group Domain Users to 503. As far as I can tell there is not a command
line interface to change the mappings within the winbindd DB. Does this
make sense?
Thanks,
Noal
-----Original Message-----
From: Choudary Mumtaz [mailto:asadmumtaz1@yahoo.com]
Sent: Thursday, March 03, 2005 6:30 PM
To: Miles, Noal; 'Gerald (Jerry) Carter'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind - how to map ADS group to Unix group
It might be a very silly way to do it, but this is how I accomplished it as
I never got any help from the group during my setup. Most of the tools
provided by Samba didn't work for me, and I haven't been able to figure
out
the problem.
I have added all the respective SAMBA groups to local /etc/group, so here
you may make test2 member of "Domain Users" group, and it will work.
If you
would like a take a quick look at my setup, please feel free to visit
http://www.miracletechs.com/sambainstall.html
<http://www.miracletechs.com/sambainstall.html> .
Thank you.
"Miles, Noal" <noal.miles@tdstelecom.com> wrote:
Winbind is configured for ads.
I want "Domain\Domain Users" to be members of local linux group
"test2".
I created a local group on the linux box:
Groupadd -u 502 test2
I have tried net groupmap addmem, it tells me the syntax is
Net groupmap addmem alias-sid member-sid
There is no SID for test2 so how can I use "net groupmap addmem"?
Wbinfo -G 502
Cannot convert gid 502 to sid
Net groupmap add ntgroup="Domain\Domain Users" unixgroup=test2
Successfully added group "Domain\Domain Users" to the mapping db
Getent group test2
Test2:x:502:
So this doesn't work either.
I have also tried username map in smb.conf with no success.
I appreciate the suggestions thus far. Any additional help would be greatly
appreciated.
Thanks,
Noal
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: Tuesday, March 01, 2005 8:00 AM
To: Miles, Noal
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Winbind - how to map ADS group to Unix group
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Miles, Noal wrote:
| OK I set "winbind nested group = yes"
use `net groupmap {addmem,delmem,listmem}'
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj
HOXXv8XrN7gaVl2mBrpxLcs=/mab
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com