Schreiber, Martin
2008-Jan-07 11:49 UTC
[Samba] net groupmap add problems since 3.0.23 version
Hello List,
As I didnt receive any answers on my first request regarding the new groupmap
mechanism since samba version 3.0.23 I try it once again and more detailed.
Situation before upgrade to samba 3.0.28:
We run a solaris 9 server with samba 3.0.21 which serves a share named backup to
which all domain users belonging to a special active directory group can connect
and save their mail db and other data. This runs without any interaction, just
net use x: \\servername\sharename. No users exist in /etc/passwd , access is
handled only by Active Directory groups and the associated unix group(s). That
has been realised via the net groupmap add command and worked perfectly over the
years since samba version 3.0.7a ! .
Due to security riscs in samba we where forced to upgrade to version 3.0.28 (all
the same problems since version 3.0.24) I studied the whats changed logs and
samba howto`s and think I ?ve done it right , but I fear I ?ve overlooked
something essential.
Output from net groupmap list:
-----------------------
# net groupmap list
Domain Users (S-1-5-21-1454471165-527237240-682003330-513) -> users
sbs_ors (S-1-5-21-1454471165-527237240-682003330-133792) -> sbs_ors_ux
Domain Guests (S-1-5-21-1454471165-527237240-682003330-514) -> nobody
Administrators (S-1-5-32-544) -> 100000
adv (S-1-5-21-1454471165-527237240-682003330-48325) -> adv
Domain Admins (S-1-5-21-1454471165-527237240-682003330-512) -> ntadmin
Users (S-1-5-32-545) -> 100001
------------------------
output from net groupmap add command:
----------------------------
# net groupmap add sid=S-1-5-21-1454471165-527237240-682003330-133792
ntgroup=sbs_ors unixgroup=sbs_ors_ux type=d
Successfully added group sbs_ors to the mapping db as a domain group
--------------------------------
This is a major group with some nested groups and I ?m a member of one , Since
version 3.0.7a nested groups are supported , but I ?m not able to connect , all
I get is a pop up login window , also net view \\servername fails with access
denied.
Now my question ; does that configuration is still supported at all , or has it
broken due to security riscs ; if not pls tell me how to proceed with new samba
version, what did I overlook
Best Regards Martin Schreiber
Martin Schreiber
Siemens IT Solutions and Services GmbH
Gudrunstrasse 11
A-1101 Wien
Tel: +43(0)51707 47565
Fax: +43(0) 51707 57560
martin.a.schreiber@siemens.com
http://www.siemens.at/it-solutions
Siemens IT Solutions and Services GmbH, DVR 1009192, FN 180547k, Handelsgericht
Wien, Firmensitz Wien
Wichtiger Hinweis: Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder
sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail
irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine
Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte
benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
Important Note: This e-mail may contain trade secrets or privileged, undisclosed
or otherwise confidential information. If you have received this e-mail in
error, you are hereby notified that any review, copying or distribution of it is
strictly prohibited. Please inform us immediately and destroy the original
transmittal. Thank you for your cooperation