samba - Nov 2005 - groupmap

Why would I have some NT domains more than once?

Did I screp up my import with the Vampire?

Should I delete the unmapped ones (Gulp!)

[root@oxidepdc ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicator (S-1-5-32-552) -> Replicator
Guests (S-1-5-32-546) -> Guests
Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) -> recipe
Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) -> -1
Domain Users (S-1-5-21-217354674-1388124147-264849902-513) -> -1
Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) -> -1
Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> Administrators
Sage (S-1-5-21-1019967034-149178136-1846952604-1005) -> Sage
Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) -> -1
Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) -> users
Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) -> -1
Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) -> root
Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) -> -1
Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) -> -1
Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) -> nobody
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) -> -1
Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) -> -1
Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> Users
Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) -> -1
Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) -> acctsdep
Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) -> -1
Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) -> -1
Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005) -> 
finsrvcs
Sales (S-1-5-21-1019967034-149178136-1846952604-1030) -> sales



TIA

On Sat, 2005-11-12 at 13:28 +0000, Simon Faulkner wrote:
> Why would I have some NT domains more than once?
> 
> Did I screp up my import with the Vampire?
> 
> Should I delete the unmapped ones (Gulp!)
> 
> [root@oxidepdc ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicator (S-1-5-32-552) -> Replicator
> Guests (S-1-5-32-546) -> Guests
> Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) -> recipe
> Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) -> -1
> Domain Users (S-1-5-21-217354674-1388124147-264849902-513) -> -1
> Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) -> -1
> Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> Administrators
> Sage (S-1-5-21-1019967034-149178136-1846952604-1005) -> Sage
> Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) -> -1
> Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) -> users
> Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) -> -1
> Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) -> root
> Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) -> -1
> Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) -> -1
> Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) -> nobody
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) -> -1
> Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) -> -1
> Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> Users
> Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) -> -1
> Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) ->
acctsdep
> Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) -> -1
> Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) -> -1
> Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005) -> 
> finsrvcs
> Sales (S-1-5-21-1019967034-149178136-1846952604-1030) -> sales
-----
They are all different SID's 

There's only 1 of them that matters. The SID of your domain, the rest
are pretty much meaningless. It looks like you didn't follow the vampire
instructions closely enough. How about the users, what's their SID's
look like?

# net getlocalsid

# pdbedit -Lv|grep SID

# net groupmap list

The SID's should all the same...with the exception of the RID extensions
on the specific objects.

When you vampire, you must get the SID from the NT4 PDC, and then set
the samba box to the exact same SID, then vampire, then the users,
groups, machine accounts, etc. all have the same base SID

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On Saturday 12 November 2005 06:28, Simon Faulkner
wrote:
> Why would I have some NT domains more than once?
>
> Did I screp up my import with the Vampire?
>
> Should I delete the unmapped ones (Gulp!)
>
> [root@oxidepdc ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicator (S-1-5-32-552) -> Replicator
> Guests (S-1-5-32-546) -> Guests
> Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) -> recipe
> Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) -> -1
> Domain Users (S-1-5-21-217354674-1388124147-264849902-513) -> -1
> Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) -> -1
> Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> Administrators
> Sage (S-1-5-21-1019967034-149178136-1846952604-1005) -> Sage
> Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) -> -1
> Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) -> users
> Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) -> -1
> Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) -> root
> Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) -> -1
> Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) -> -1
> Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) -> nobody
> Account Operators (S-1-5-32-548) -> -1
> Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) -> -1
> Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) -> -1
> Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> Users
> Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) -> -1
> Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) ->
acctsdep
> Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) -> -1
> Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) -> -1
> Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005) ->
> finsrvcs
> Sales (S-1-5-21-1019967034-149178136-1846952604-1030) -> sales
You have started Samba, then changed the server or workgroup name, then 
restarted Samba, and possibly then tried to do the "net rpc vampire"
process.
As a result your mappings are contaminated. You can clean this up by 
executing: "net groupmap cleanup"

- John T.

On Sat, 2005-11-12 at 15:48 +0000, Simon Faulkner wrote:
> Craig White wrote:
> > On Sat, 2005-11-12 at 13:28 +0000, Simon Faulkner wrote:
> > 
> >>Why would I have some NT domains more than once?
> >>
> >>Did I screp up my import with the Vampire?
> >>
> >>Should I delete the unmapped ones (Gulp!)
> >>
> >>[root@oxidepdc ~]# net groupmap list
> >>System Operators (S-1-5-32-549) -> -1
> >>Replicator (S-1-5-32-552) -> Replicator
> >>Guests (S-1-5-32-546) -> Guests
> >>Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) -> recipe
> >>Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) ->
-1
> >>Domain Users (S-1-5-21-217354674-1388124147-264849902-513) -> -1
> >>Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) ->
-1
> >>Power Users (S-1-5-32-547) -> -1
> >>Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) ->
-1
> >>Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) ->
-1
> >>Print Operators (S-1-5-32-550) -> -1
> >>Administrators (S-1-5-32-544) -> Administrators
> >>Sage (S-1-5-21-1019967034-149178136-1846952604-1005) -> Sage
> >>Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) ->
-1
> >>Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) ->
users
> >>Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) ->
-1
> >>Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) ->
root
> >>Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) ->
-1
> >>Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) ->
-1
> >>Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) ->
nobody
> >>Account Operators (S-1-5-32-548) -> -1
> >>Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) ->
-1
> >>Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) ->
-1
> >>Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) ->
-1
> >>Backup Operators (S-1-5-32-551) -> -1
> >>Users (S-1-5-32-545) -> Users
> >>Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) ->
-1
> >>Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) ->
acctsdep
> >>Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) ->
-1
> >>Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) ->
-1
> >>Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005)
->
> >>finsrvcs
> >>Sales (S-1-5-21-1019967034-149178136-1846952604-1030) -> sales
> > 
> > -----
> > They are all different SID's 
> > 
> > There's only 1 of them that matters. The SID of your domain, the
rest
> > are pretty much meaningless. It looks like you didn't follow the
vampire
> > instructions closely enough. How about the users, what's their
SID's
> > look like?
> > 
> > # net getlocalsid
> > 
> > # pdbedit -Lv|grep SID
> > 
> > # net groupmap list
> > 
> > The SID's should all the same...with the exception of the RID
extensions
> > on the specific objects.
> > 
> > When you vampire, you must get the SID from the NT4 PDC, and then set
> > the samba box to the exact same SID, then vampire, then the users,
> > groups, machine accounts, etc. all have the same base SID
> > 
> > Craig
> 
> 
> [root@oxidepdc ~]# net getlocalsid
> [2005/11/12 15:48:20, 0] utils/net.c:net_getlocalsid(494)
>    Can't fetch domain SID for name: OXIDEPDC
> 
> I guess I am in trouble?
----
Let's keep this on the list so you can benefit from other perhaps more
knowledgeable or more insightful and perhaps they can benefit from the
resolution of your situation.

it does appear that there is a problem with your setup. At this point
you should try a tdbdump of your tdb passdb to see what it looks like
and if it is garbage, delete it and start all over. If it looks good,
you can net setlocalsid and it should take but the results of the other
commands I listed above 

I can tell you this much...I have never been satisfied with my first
pass ever on a vampire from an NT4 server. Generally, I have to fix
stuff up with my LDAP setup or smbldap-tools to get it exactly right. I
never use tdb passdb so I can't tell you the exact procedures but with
ldap passdb, I always slapcat the ldap db prior to doing the net rpc
vampire, check out the results in ldap, wipe it all out, restore from
the slapcat that I did previously, fix the things that aren't perfect
and do it again. It takes a few passes. The first time I ever migrated
an NT4 PDC to samba PDC, it probably took about 30 passes - but I tried
to be meticulous. Now, it probably takes me from 2-4 passes but I am
getting quite good at setting up ldap.

Good luck

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.