Hi all,
When i create a group in AD and adds users in the same than with
#getent group i can see the group and its members properly.
But if i add a user to BUILTIN say BUILTIN Guests group than i dont see
its members.
= kktest:x:10026:kk,Administrator
BUILTIN+Guests:x:10019:
=
Here i have added kk user to both kktest and BUILTIN+Guests group. But i
cant see kk associated with BUILTIN Guests.
I know that BUILTIN groups have pre defined sid by microsoft, and its
mapping is done separately.(I found this in idmap.c)
Is this a normal behavior?
Would appreciate if someone can explain the reasons for this.
Regards,
Kaustubh.
Kaustubh Chaudhari wrote:> Hi all, > > When i create a group in AD and adds users in the same than with > #getent group i can see the group and its members properly. > > But if i add a user to BUILTIN say BUILTIN Guests group than i dont > see > its members. > => kktest:x:10026:kk,Administrator > BUILTIN+Guests:x:10019: > => > Here i have added kk user to both kktest and BUILTIN+Guests group. > But i > cant see kk associated with BUILTIN Guests. > > I know that BUILTIN groups have pre defined sid by microsoft, and its > mapping is done separately.(I found this in idmap.c) > > Is this a normal behavior? > > Would appreciate if someone can explain the reasons for this. > > Regards, > Kaustubh.In general you need to define an Organizational Unit (OU), then define your groups and users inside that OU. It should then show up with Samba winbind. Some don'ts: Don't rename anything. Don't drag and drop anything from one OU to another OU. Don't make a user in one OU a member of a group in another OU. It is even not a good idea to delete anything. If you need to fix a typing mistake, define a new record - don't try to edit the mistake. Make frequent backups of ADS. Some dos: Apply security policies to OUs, not to users. Run ADS on VMware, so that you can take snapshots as backups. The reason for the above cautions is that ADS (mostly) work using the GUIDs, while Samba uses the text strings. So you don't want to get in a situation where ADS re-use an old GUID and changes to text strings are applied inconsistently, which confuses winbind, so changing any text string after it has been defined can also screw things up. 'Hope that helps! Herman
Hi Herman, Ok, i got an idea, thanks a lot for putting your time in this and helping me out. :) Regards, Kaustubh herman wrote:> Kaustubh Chaudhari wrote: >> Hi Herman. >> >> This is really a helpful information, but i am not able to understand >> why in built group we cant see a mapping for a normal user, as if we >> look Builtin is also a OU and we have some Builtin users and groups >> in it. >> >> If i create a OU and groups or users in it than i can see all those >> but just not with Buitin. >> >> Feel free to correct me, if you find i am wrong. >> >> Thanks for your interest in this. >> Regards, >> Kaustubh. > Well, I have found that Winbind can get confused when you do things in > ADS that you should not do - for example cross linked users and groups > after you dragged records around. WinXP clients may still work, but > the only way to fix Winbind is to delete the offending records in > ADS. The problem is that how you are supposed to find the offending > records is impossible to say. Sometimes you can fix it by trying to > remember when it last worked and deleting everything that was changed > since. Sometimes, the only way to fix things is to give up and > re-install ADS. > > Sooo, try to roll back till you get to a working situation, then make > your changes very carefully and with frequent backups. I run ADS on > VMware and take a snapshot before every change I make to it, so I can > roll back without too much hassle as soon as things stop working. > Unfortunately, Winbind is still immature and not as robust as one may > like it to be. > > Cheers, > > Herman