thr3ads.net - samba - [Samba] domain group mapping in 3.0.23a issues [Aug 2006]

If this information is useful, please help other people find it:
Share via:

Chris

2006-Aug-04 18:29 UTC

[Samba] domain group mapping in 3.0.23a issues

How does one create all of the builtin groups for this release?

When using tdbsam with previous releases one would automatically get 
such groups as:

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1832519723-2688400599-3493754984-512) -> 
domadmin
Domain Guests (S-1-5-21-1832519723-2688400599-3493754984-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> prtadmin
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1832519723-2688400599-3493754984-513) -> agent
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

I can manually map groups such as:

Domain Admins (S-1-5-21-1043961623-2377510293-736199847-1001) -> domadm
Domain Guests (S-1-5-21-1043961623-2377510293-736199847-1003) -> nobody
Domain Users (S-1-5-21-1043961623-2377510293-736199847-1002) -> users
Print Operators (S-1-5-21-1043961623-2377510293-736199847-1004) -> 
prtadm

But for some reason members of the domadm group are not receiving admin 
priviledges when logging on.

Is the existence "-1" groups necessary?
If so how does one create them?
If not, why might members of the domadm group (as in the second example) 
not have admin priveleges when logging onto the domain?

Thanks,

Chris

Chris

2006-Aug-04 19:00 UTC

head link

[Samba] domain group mapping in 3.0.23a issues

On Friday 04 August 2006 14:24, Chris wrote:> If not, why might members of the domadm group (as in the second
> example) not have admin priveleges when logging onto the domain?
I figured this part out....specific RID's are needed for certain groups. 
With previous versions the correct RID's were assigned and only mapping 
needed to be done. Why was this ever dropped?

Also when mapping something such as "Domain Admins" should the type 
be "builtin"? Or is this effectively deprecated as there effectively 
are no builtin groups anymore?

Thanks,

Chris

John Mason

2006-Aug-04 19:43 UTC

head link

[Samba] domain group mapping in 3.0.23a issues

Hey, I use the exact same samba version as you... I'm waiting for the
3.0.23b or higher.... but anyway..

In addition to net groupmap commands, you'll need to look at net rpc rights
commands for any other-than-admin rights.
It seems samba (and someone correct me if I'm wrong) does the windows
compatible thing that RID 512 is the admin group.. so use net groupmap add to
associate the 512 RID to some unix-group. 513 is Domain Users, 514 is Domain
Guests, and 515 is Domain Computers.

And then for basic rights, check these out:
for instance, this will list the rights that are supported:

[root@johnslinux ~ ] > net rpc -U root -S pdc rights list
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

Then, to grant rights to a user (or a group):
net rpc -U root -S pdc rights grant "DOMAIN/USER_OR_GROUP"
SeTakeOwnershipPrivilege ...


Then to revoke, use revoke in place of grant.

Hope this helps.
JAM


-----Original Message-----
From: samba-bounces+jmason=lim.com@lists.samba.org on behalf of Chris
Sent: Fri 8/4/2006 1:24 PM
To: samba@lists.samba.org
Subject: [Samba] domain group mapping in 3.0.23a issues
 
How does one create all of the builtin groups for this release?

When using tdbsam with previous releases one would automatically get 
such groups as:

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1832519723-2688400599-3493754984-512) -> 
domadmin
Domain Guests (S-1-5-21-1832519723-2688400599-3493754984-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> prtadmin
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1832519723-2688400599-3493754984-513) -> agent
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

I can manually map groups such as:

Domain Admins (S-1-5-21-1043961623-2377510293-736199847-1001) -> domadm
Domain Guests (S-1-5-21-1043961623-2377510293-736199847-1003) -> nobody
Domain Users (S-1-5-21-1043961623-2377510293-736199847-1002) -> users
Print Operators (S-1-5-21-1043961623-2377510293-736199847-1004) -> 
prtadm

But for some reason members of the domadm group are not receiving admin 
priviledges when logging on.

Is the existence "-1" groups necessary?
If so how does one create them?
If not, why might members of the domadm group (as in the second example) 
not have admin priveleges when logging onto the domain?

Thanks,

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Aug 2006 - domain group mapping in 3.0.23a issues

[Samba] domain group mapping in 3.0.23a issues

[Samba] domain group mapping in 3.0.23a issues

[Samba] domain group mapping in 3.0.23a issues

Possibly Parallel Threads