a.nielsen@research.uq.edu.au
2005-Nov-09 04:34 UTC
[Samba] Group mapping giving incorrect GIDs
Hi, I think I've narrowed down my problem to the fact that the group mapping is not giving me the same GID for all 'equivalent' groups, as seen here: $ net groupmap list DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp1 $ getent group unixgrp1 unixgrp1:x:203: $ getent group DOMAIN\\Group1 DOMAIN\Group1:x:10001:DOMAIN\User1 This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1 is completely different! Given the group mapping, I was expecting that both groups would be returned with a GID of 203, so that according to the Linux box both those groups are the same. As it stands now, when DOMAIN\User1 connects, it's using a GID of 10001 which has no access to the filesystem. It should be connecting as GID 203, which has the correct filesystem permissions. Is what I'm trying to do even possible? Thanks, Adam.
a.nielsen@research.uq.edu.au wrote:>Hi, > >I think I've narrowed down my problem to the fact that the group mapping is >not giving me the same GID for all 'equivalent' groups, as seen here: > >$ net groupmap list >DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp1 > >$ getent group unixgrp1 >unixgrp1:x:203: > >$ getent group DOMAIN\\Group1 >DOMAIN\Group1:x:10001:DOMAIN\User1 > >This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1 >is completely different! Given the group mapping, I was expecting that both >groups would be returned with a GID of 203, so that according to the Linux >box both those groups are the same. > >As it stands now, when DOMAIN\User1 connects, it's using a GID of 10001 >which has no access to the filesystem. It should be connecting as GID 203, >which has the correct filesystem permissions. > >Is what I'm trying to do even possible? > >Thanks, >Adam. > >Hi Adam, Just so you do not feel abandoned - I have gotten the same results when trying a similar operation. In my case, I was trying to use a mapped group on "valid users = @mapped". That does not work at all. I also could not make it work with ACLs. A co-worked did some additional testing and could get mapped groups to work on ugo permissions, but only with "security = user", not "security = ads". If my co-worker and I can characterize the behavior more accurately, I'll write up what we find for posterity. Eric Roseme Hewlett-Packard