I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a PDC for domain ADADOM. I have a problem with duplicate group mappings and need to delete some, however, I don't know which one is being used. Is there a way I can find out which ones have no users assigned to them? Here's the sorted output of "net groupmap list". The last three are the issue. I only need one "parts" mapping and I'm pretty sure I don't need the "users" mapping: phoenix:~# net groupmap list Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) -> ntadmin Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) -> nogroup Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> accounting Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) -> hr IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> engineering parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts Thanks, Paul
The ones pointing to -1 are not being used. However, there is no point in deleting them. They are standard Windows groups that are not mapped to Unix groups. The two "parts" mappings each have a different SID. They are therefore not duplicates. Possibly you have two different "parts" groups in Windows somehow. You're going to have to track them down to find out how they are being used. Do you have a Unix group called "parts"? If not, then the ones that refer to it are wrong. The middle group, which maps "users" to "users" looks suspicious. You may notice that you already have a "Users" mapping for Windows. However, it may be that you are using pam-winbind to authenticate Unix systems to your domain, in which case the two different "parts" and the "users" may be related to that. I'm not an expert, but I hope this helps. Paul Smith wrote:> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a PDC > for domain ADADOM. I have a problem with duplicate group mappings and > need to delete some, however, I don't know which one is being used. Is > there a way I can find out which ones have no users assigned to them? > > Here's the sorted output of "net groupmap list". The last three are the > issue. I only need one "parts" mapping and I'm pretty sure I don't need > the "users" mapping: > > phoenix:~# net groupmap list > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) -> ntadmin > Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) -> nogroup > Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users > Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> > accounting > Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales > Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) -> hr > IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it > Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> > engineering > parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts > users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users > parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts > > Thanks, > Paul >
I'm not using pam-winbind, and all clients are Windows - either XP, 2000 or 2003. When I search the domain for groups in Windows I do indeed get two groups called "parts" and the "users" group also. I've double-checked the unix users and they're all in the correct unix groups. Is there any danger in simply deleting the suspect mappings and recreating them using something like: net groupmap add ntgroup="Parts" unixgroup=parts type=d Thanks, Paul -----Original Message----- From: samba-bounces+paul=gami.com@lists.samba.org [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary Dale Sent: Monday, February 26, 2007 12:07 PM Cc: samba@lists.samba.org Subject: Re: [Samba] Duplicate group mappings - which ones to delete? The ones pointing to -1 are not being used. However, there is no point in deleting them. They are standard Windows groups that are not mapped to Unix groups. The two "parts" mappings each have a different SID. They are therefore not duplicates. Possibly you have two different "parts" groups in Windows somehow. You're going to have to track them down to find out how they are being used. Do you have a Unix group called "parts"? If not, then the ones that refer to it are wrong. The middle group, which maps "users" to "users" looks suspicious. You may notice that you already have a "Users" mapping for Windows. However, it may be that you are using pam-winbind to authenticate Unix systems to your domain, in which case the two different "parts" and the "users" may be related to that. I'm not an expert, but I hope this helps. Paul Smith wrote:> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as aPDC> for domain ADADOM. I have a problem with duplicate group mappings and > need to delete some, however, I don't know which one is being used.Is> there a way I can find out which ones have no users assigned to them? > > Here's the sorted output of "net groupmap list". The last three arethe> issue. I only need one "parts" mapping and I'm pretty sure I don'tneed> the "users" mapping: > > phoenix:~# net groupmap list > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->ntadmin> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->nogroup> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users > Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> > accounting > Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales > Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->hr> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it > Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> > engineering > parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts > users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users > parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts > > Thanks, > Paul >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
I should have added this to my last message: I'd like to end up with this mapping: Domain Admins - ntadmin Domain Users - users Domain Guests - nogroup Sales - sales Accounting - accounting Human Resources - hr Engineering - engineering IT - it Parts - parts I only need one Windows "Parts" group (mapped to the unix parts group) and I don't need a Windows "Users" group at all(no idea how that got created in the first place". Thanks, Paul -----Original Message----- From: samba-bounces+paul=gami.com@lists.samba.org [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Paul Smith Sent: Monday, February 26, 2007 1:37 PM To: samba@lists.samba.org Subject: RE: [Samba] Duplicate group mappings - which ones to delete? I'm not using pam-winbind, and all clients are Windows - either XP, 2000 or 2003. When I search the domain for groups in Windows I do indeed get two groups called "parts" and the "users" group also. I've double-checked the unix users and they're all in the correct unix groups. Is there any danger in simply deleting the suspect mappings and recreating them using something like: net groupmap add ntgroup="Parts" unixgroup=parts type=d Thanks, Paul -----Original Message----- From: samba-bounces+paul=gami.com@lists.samba.org [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary Dale Sent: Monday, February 26, 2007 12:07 PM Cc: samba@lists.samba.org Subject: Re: [Samba] Duplicate group mappings - which ones to delete? The ones pointing to -1 are not being used. However, there is no point in deleting them. They are standard Windows groups that are not mapped to Unix groups. The two "parts" mappings each have a different SID. They are therefore not duplicates. Possibly you have two different "parts" groups in Windows somehow. You're going to have to track them down to find out how they are being used. Do you have a Unix group called "parts"? If not, then the ones that refer to it are wrong. The middle group, which maps "users" to "users" looks suspicious. You may notice that you already have a "Users" mapping for Windows. However, it may be that you are using pam-winbind to authenticate Unix systems to your domain, in which case the two different "parts" and the "users" may be related to that. I'm not an expert, but I hope this helps. Paul Smith wrote:> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as aPDC> for domain ADADOM. I have a problem with duplicate group mappings and > need to delete some, however, I don't know which one is being used.Is> there a way I can find out which ones have no users assigned to them? > > Here's the sorted output of "net groupmap list". The last three arethe> issue. I only need one "parts" mapping and I'm pretty sure I don'tneed> the "users" mapping: > > phoenix:~# net groupmap list > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) ->ntadmin> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) ->nogroup> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users > Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> > accounting > Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales > Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) ->hr> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it > Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> > engineering > parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts > users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users > parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts > > Thanks, > Paul >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Slight problem with renaming the group. I've just looked in usrmgr and it shows only one parts group. However, if I drill down to the "Select Users and Groups" applet from the Security tab of any file properties window, I'm shown two parts groups. If, in usrmgr, I double-click the displayed "parts" group I get what looks to be the correct properties. If I double-click the "users" group I'm told: "The following error occurred accessing the properties of the group users: The group name could not be found. The group properties cannot be edited or viewd at this time." Something that might be helpful is that the "Description" in usrmgr for the only parts group it displays is "Domain Unix Group". This description only occurs in one of the "Samba groups" I see listed in Webmin. It's the opposite of what I would have thought, though, as the group that is descriptionless is the one with the lower group SID: S-1-5-21-3597458131-155160113-1223051555-132073 S-1-5-21-3597458131-155160113-1223051555-132074 <- this is the one that has the description field set. Usrmgr doesn't give me the option of renaming the groups - the rename option is greyed out, and webmin (my admin tool of choice on this machine) doesn't allow me to rename the group either. -----Original Message----- From: samba-bounces+paul=gami.com@lists.samba.org [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary Dale Sent: Monday, February 26, 2007 2:24 PM Cc: samba@lists.samba.org Subject: Re: [Samba] Duplicate group mappings - which ones to delete? Yes there is a danger. The groups each have a unique SID. If you look on an XP workstation, you'll see that local file ACLs use the SID, not the group name. The workstation does a lookup to the Domain Controller to get the name associated with the SID. If you simply delete the group, the lookup will fail and all you'll see is the SID. Moreover, people who relied on that mapping will find their access is denied. You can try changing all the affected ACLs first to use the correct SIDs. This may be easier if you rename one of the Windows parts groups first (without changing the SID). The users group you may be able to deal with directly. Change all the instances on Windows to Users. You may have to do some group browsing to get the correct one - I don't know if Samba would handle the case change properly. As for the groups that are pointing to -1, if it ain't broke, don't fix it. I'm going to assume that Samba puts them there for a reason, even if I don't know what it is. Paul Smith wrote:> I should have added this to my last message: > > I'd like to end up with this mapping: > > Domain Admins - ntadmin > Domain Users - users > Domain Guests - nogroup > Sales - sales > Accounting - accounting > Human Resources - hr > Engineering - engineering > IT - it > Parts - parts > > I only need one Windows "Parts" group (mapped to the unix parts group) > and I don't need a Windows "Users" group at all(no idea how that got > created in the first place". > > Thanks, > Paul > > -----Original Message----- > From: samba-bounces+paul=gami.com@lists.samba.org > [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Paul > Smith > Sent: Monday, February 26, 2007 1:37 PM > To: samba@lists.samba.org > Subject: RE: [Samba] Duplicate group mappings - which ones to delete? > > I'm not using pam-winbind, and all clients are Windows - either XP,2000> or 2003. > > When I search the domain for groups in Windows I do indeed get two > groups called "parts" and the "users" group also. > > I've double-checked the unix users and they're all in the correct unix > groups. Is there any danger in simply deleting the suspect mappingsand> recreating them using something like: > > net groupmap add ntgroup="Parts" unixgroup=parts type=d > > Thanks, > Paul > > -----Original Message----- > From: samba-bounces+paul=gami.com@lists.samba.org > [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary > Dale > Sent: Monday, February 26, 2007 12:07 PM > Cc: samba@lists.samba.org > Subject: Re: [Samba] Duplicate group mappings - which ones to delete? > > The ones pointing to -1 are not being used. However, there is no point> in deleting them. They are standard Windows groups that are not mapped> to Unix groups. > > The two "parts" mappings each have a different SID. They are therefore> not duplicates. Possibly you have two different "parts" groups in > Windows somehow. You're going to have to track them down to find outhow> > they are being used. Do you have a Unix group called "parts"? If not, > then the ones that refer to it are wrong. > > The middle group, which maps "users" to "users" looks suspicious. You > may notice that you already have a "Users" mapping for Windows. > > However, it may be that you are using pam-winbind to authenticate Unix> systems to your domain, in which case the two different "parts" andthe> "users" may be related to that. > > I'm not an expert, but I hope this helps. > > > Paul Smith wrote: > >> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a >> > PDC > >> for domain ADADOM. I have a problem with duplicate group mappingsand>> need to delete some, however, I don't know which one is being used. >> > Is > >> there a way I can find out which ones have no users assigned to them? >> >> Here's the sorted output of "net groupmap list". The last three are >> > the > >> issue. I only need one "parts" mapping and I'm pretty sure I don't >> > need > >> the "users" mapping: >> >> phoenix:~# net groupmap list >> Backup Operators (S-1-5-32-551) -> -1 >> Users (S-1-5-32-545) -> -1 >> System Operators (S-1-5-32-549) -> -1 >> Replicators (S-1-5-32-552) -> -1 >> Guests (S-1-5-32-546) -> -1 >> Power Users (S-1-5-32-547) -> -1 >> Print Operators (S-1-5-32-550) -> -1 >> Administrators (S-1-5-32-544) -> -1 >> Account Operators (S-1-5-32-548) -> -1 >> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) -> >> > ntadmin > >> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) -> >> > nogroup > >> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users >> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> >> accounting >> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales >> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) -> >> > hr > >> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it >> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> >> engineering >> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts >> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users >> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts >> >> Thanks, >> Paul >> >> > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
I'll have a play with the "net groupmap modify" and "net groupmap delete" commands after hours and will post back my findings. Thanks for your help. -----Original Message----- From: samba-bounces+paul=gami.com@lists.samba.org [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary Dale Sent: Monday, February 26, 2007 4:18 PM Cc: samba@lists.samba.org Subject: Re: [Samba] Duplicate group mappings - which ones to delete? The renaming would have to be done on the Samba server because that is where the group name exists - not on the Windows client. Try a low-level tool, not an end-user tool like webmin. Something in the net groupmap or net group commands might do it. Sorry I can't give you an exact syntax. :) Paul Smith wrote:> Slight problem with renaming the group. I've just looked in usrmgrand> it shows only one parts group. However, if I drill down to the"Select> Users and Groups" applet from the Security tab of any file properties > window, I'm shown two parts groups. > > If, in usrmgr, I double-click the displayed "parts" group I get what > looks to be the correct properties. If I double-click the "users"group> I'm told: > > "The following error occurred accessing the properties of the group > users: > The group name could not be found. > The group properties cannot be edited or viewd at this time." > > > Something that might be helpful is that the "Description" in usrmgrfor> the only parts group it displays is "Domain Unix Group". This > description only occurs in one of the "Samba groups" I see listed in > Webmin. It's the opposite of what I would have thought, though, asthe> group that is descriptionless is the one with the lower group SID: > S-1-5-21-3597458131-155160113-1223051555-132073 > S-1-5-21-3597458131-155160113-1223051555-132074 <- this is the onethat> has the description field set. > > Usrmgr doesn't give me the option of renaming the groups - the rename > option is greyed out, and webmin (my admin tool of choice on this > machine) doesn't allow me to rename the group either. > > > > -----Original Message----- > From: samba-bounces+paul=gami.com@lists.samba.org > [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf Of Gary > Dale > Sent: Monday, February 26, 2007 2:24 PM > Cc: samba@lists.samba.org > Subject: Re: [Samba] Duplicate group mappings - which ones to delete? > > Yes there is a danger. The groups each have a unique SID. If you lookon> > an XP workstation, you'll see that local file ACLs use the SID, notthe> group name. The workstation does a lookup to the Domain Controller to > get the name associated with the SID. If you simply delete the group, > the lookup will fail and all you'll see is the SID. Moreover, peoplewho> > relied on that mapping will find their access is denied. > > You can try changing all the affected ACLs first to use the correct > SIDs. This may be easier if you rename one of the Windows parts groups> first (without changing the SID). > > The users group you may be able to deal with directly. Change all the > instances on Windows to Users. You may have to do some group browsingto> > get the correct one - I don't know if Samba would handle the casechange> > properly. > > As for the groups that are pointing to -1, if it ain't broke, don'tfix> it. I'm going to assume that Samba puts them there for a reason, evenif> > I don't know what it is. > > > Paul Smith wrote: > >> I should have added this to my last message: >> >> I'd like to end up with this mapping: >> >> Domain Admins - ntadmin >> Domain Users - users >> Domain Guests - nogroup >> Sales - sales >> Accounting - accounting >> Human Resources - hr >> Engineering - engineering >> IT - it >> Parts - parts >> >> I only need one Windows "Parts" group (mapped to the unix partsgroup)>> and I don't need a Windows "Users" group at all(no idea how that got >> created in the first place". >> >> Thanks, >> Paul >> >> -----Original Message----- >> From: samba-bounces+paul=gami.com@lists.samba.org >> [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf OfPaul>> Smith >> Sent: Monday, February 26, 2007 1:37 PM >> To: samba@lists.samba.org >> Subject: RE: [Samba] Duplicate group mappings - which ones to delete? >> >> I'm not using pam-winbind, and all clients are Windows - either XP, >> > 2000 > >> or 2003. >> >> When I search the domain for groups in Windows I do indeed get two >> groups called "parts" and the "users" group also. >> >> I've double-checked the unix users and they're all in the correctunix>> groups. Is there any danger in simply deleting the suspect mappings >> > and > >> recreating them using something like: >> >> net groupmap add ntgroup="Parts" unixgroup=parts type=d >> >> Thanks, >> Paul >> >> -----Original Message----- >> From: samba-bounces+paul=gami.com@lists.samba.org >> [mailto:samba-bounces+paul=gami.com@lists.samba.org] On Behalf OfGary>> Dale >> Sent: Monday, February 26, 2007 12:07 PM >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Duplicate group mappings - which ones to delete? >> >> The ones pointing to -1 are not being used. However, there is nopoint>> > > >> in deleting them. They are standard Windows groups that are notmapped>> > > >> to Unix groups. >> >> The two "parts" mappings each have a different SID. They aretherefore>> > > >> not duplicates. Possibly you have two different "parts" groups in >> Windows somehow. You're going to have to track them down to find out >> > how > >> they are being used. Do you have a Unix group called "parts"? If not,>> then the ones that refer to it are wrong. >> >> The middle group, which maps "users" to "users" looks suspicious. You>> may notice that you already have a "Users" mapping for Windows. >> >> However, it may be that you are using pam-winbind to authenticateUnix>> > > >> systems to your domain, in which case the two different "parts" and >> > the > >> "users" may be related to that. >> >> I'm not an expert, but I hope this helps. >> >> >> Paul Smith wrote: >> >> >>> I'm using Samba 3.0.21b on Debian linux using a tdbsam database as a >>> >>> >> PDC >> >> >>> for domain ADADOM. I have a problem with duplicate group mappings >>> > and > >>> need to delete some, however, I don't know which one is being used. >>> >>> >> Is >> >> >>> there a way I can find out which ones have no users assigned tothem?>>> >>> Here's the sorted output of "net groupmap list". The last three are >>> >>> >> the >> >> >>> issue. I only need one "parts" mapping and I'm pretty sure I don't >>> >>> >> need >> >> >>> the "users" mapping: >>> >>> phoenix:~# net groupmap list >>> Backup Operators (S-1-5-32-551) -> -1 >>> Users (S-1-5-32-545) -> -1 >>> System Operators (S-1-5-32-549) -> -1 >>> Replicators (S-1-5-32-552) -> -1 >>> Guests (S-1-5-32-546) -> -1 >>> Power Users (S-1-5-32-547) -> -1 >>> Print Operators (S-1-5-32-550) -> -1 >>> Administrators (S-1-5-32-544) -> -1 >>> Account Operators (S-1-5-32-548) -> -1 >>> Domain Admins (S-1-5-21-3597458131-155160113-1223051555-512) -> >>> >>> >> ntadmin >> >> >>> Domain Guests (S-1-5-21-3597458131-155160113-1223051555-514) -> >>> >>> >> nogroup >> >> >>> Domain Users (S-1-5-21-3597458131-155160113-1223051555-513) -> users >>> Accounting (S-1-5-21-3597458131-155160113-1223051555-132069) -> >>> accounting >>> Sales (S-1-5-21-3597458131-155160113-1223051555-132072) -> sales >>> Human Resources (S-1-5-21-3597458131-155160113-1223051555-132077) -> >>> >>> >> hr >> >> >>> IT (S-1-5-21-3597458131-155160113-1223051555-132071) -> it >>> Engineering (S-1-5-21-3597458131-155160113-1223051555-132070) -> >>> engineering >>> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts >>> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users >>> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts >>> >>> Thanks, >>> Paul >>> >>> >>> >> >> > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Gerald (Jerry) Carter
2007-Feb-27 15:03 UTC
[Samba] Duplicate group mappings - which ones to delete?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CC'ing back to list for archives. Paul Smith wrote:> As you can see, everything looks fine except from the two "parts" group > mappings and the "users" mapping: > > parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts > parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts > users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users > >From what I remember the "net groupmap cleanup" wouldn't > help me here as these are legitimate, but incorrect, > mappings. I think I'm happy to delete the "users" mapping > but don't quite know how to proceed with the > "parts" duplicates.Yup. You are correct. 'net groupmap cleanup' won't help. but a $ net groupmap delete \ sid=S-1-5-21-3597458131-155160113-1223051555-132074 Should do the trick. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5Eg7IR7qMdg1EfYRApf0AJ0WsbGPfmd8pWJP9L8FzkB0W9I8bwCcDhuM 0H6V0nXqe2Ilm8/FV45IO/4=fzX6 -----END PGP SIGNATURE-----
Deleted both groups by sid and everything looks to be working fine. Thanks Gary, Jerry. Paul -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Tuesday, February 27, 2007 9:03 AM To: Paul Smith; samba@samba.org Subject: Re: [Samba] Duplicate group mappings - which ones to delete? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CC'ing back to list for archives. Paul Smith wrote:> As you can see, everything looks fine except from the two "parts"group> mappings and the "users" mapping: > > parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts > parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts > users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users > >From what I remember the "net groupmap cleanup" wouldn't > help me here as these are legitimate, but incorrect, > mappings. I think I'm happy to delete the "users" mapping > but don't quite know how to proceed with the > "parts" duplicates.Yup. You are correct. 'net groupmap cleanup' won't help. but a $ net groupmap delete \ sid=S-1-5-21-3597458131-155160113-1223051555-132074 Should do the trick. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5Eg7IR7qMdg1EfYRApf0AJ0WsbGPfmd8pWJP9L8FzkB0W9I8bwCcDhuM 0H6V0nXqe2Ilm8/FV45IO/4=fzX6 -----END PGP SIGNATURE-----