samba - Jul 2008 - unable to map windows to unix groups

Hello.

After fresh install.

Samba and ldap seems to run normally ( I can join win2k workstation to linux
samba pdc ).

Using yast I create a system group named domadmin

But I am unable to map "Domain Admins" to domadmin
I am unable to map "Domain Admins" to existing ntadmin group

I am unable to mofify mapping "Domain Admins" to domadmin group

Thank you for helping.

LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=ntadmin rid=512
type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
Can't map to an unknown group type.
LINUX-SRV: #

LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
type=d
Could not update group database
LINUX-SRV: #

LINUX-SRV:~ net groupmap list
request done: ld 0x555555c881e0 msgid 1
request done: ld 0x555555c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
Admins
request done: ld 0x555555c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users
request done: ld 0x555555c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
Guests
request done: ld 0x555555c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x555555c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x555555c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x555555c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: ld 0x555555c881e0 msgid 9
Backup Operators (S-1-5-32-551) -> Backup Operators
request done: ld 0x555555c881e0 msgid 10
Replicators (S-1-5-32-552) -> Replicators
request done: ld 0x555555c881e0 msgid 11
Users (S-1-5-32-545) -> 15000
LINUX-SRV: #

LINUX-SRV: # getent group
at:!:25:
..............
..............
domadmin:x:114:
root:x:0:
...............
..............
users:x:100:
+::0:
request done: ld 0x618d10 msgid 1
Domain Admins:*:512:root,user_admin
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
request done: ld 0x618d10 msgid 2
LINUX-SRV: #

LINUX-SRV: # uname -r
2.6.22.18-0.2-default
LINUX-SRV: #

LINUX-SRV: # rpm -qa | grep samba
samba-3.2.0-24.1.123
samba-client-3.2.0-24.1.123
samba-doc-3.2.0-24.1.123
samba-krb-printing-3.2.0-24.1.123
yast2-samba-client-2.15.11-33
samba-winbind-32bit-3.0.26a-3.7
yast2-samba-server-2.15.7-57
samba-python-3.0.26a-3.7
samba-devel-3.2.0-24.1.123
kdebase3-samba-3.5.7-87.5
samba-winbind-3.2.0-24.1.123
samba-client-32bit-3.0.26a-3.7
LINUX-SRV: #

LINUX-SRV:~ # rpm -qa | grep ldap
openldap2-2.3.41-1.1
openldap2-client-2.3.41-2.1
perl-ldap-0.33-81
nss_ldap-257-17
pam_ldap-184-48
perl-ldap-ssl-0.33-81
nss_ldap-32bit-257-17.1
yast2-ldap-2.15.1-83
openldap2-devel-2.3.41-2.1
python-ldap-2.3.1-18
ldapcpplib-0.0.4-95
yast2-ldap-client-2.15.12-37
php5-ldap-5.2.6-0.1
openldap2-client-32bit-2.3.37-20
ldap-account-manager-2.3.0-0.pm.0
yast2-ldap-server-2.15.5-76
pam_ldap-32bit-184-49.1
ldapsmb-1.34b-110.8.123
LINUX-SRV: # net groupmap list

Please I need help.


----- Message transf?r? de jcdole@free.fr -----
   Date : Wed, 30 Jul 2008 22:44:36 +0200
     De : jcdole@free.fr
Adresse de retour :jcdole@free.fr
  Sujet : unable to map windows to unix groups
      ? : "samba@lists.samba.org" <samba@lists.samba.org>


Hello.

After fresh install.

Samba and ldap seems to run normally ( I can join win2k workstation to linux
samba pdc ).

Using yast I create a system group named domadmin

But I am unable to map "Domain Admins" to domadmin
I am unable to map "Domain Admins" to existing ntadmin group

I am unable to mofify mapping "Domain Admins" to domadmin group

Thank you for helping.

LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=ntadmin rid=512
type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
Can't map to an unknown group type.
LINUX-SRV: #

LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
type=d
Could not update group database
LINUX-SRV: #

LINUX-SRV:~ net groupmap list
request done: ld 0x555555c881e0 msgid 1
request done: ld 0x555555c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
Admins
request done: ld 0x555555c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users
request done: ld 0x555555c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
Guests
request done: ld 0x555555c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x555555c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x555555c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x555555c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: ld 0x555555c881e0 msgid 9
Backup Operators (S-1-5-32-551) -> Backup Operators
request done: ld 0x555555c881e0 msgid 10
Replicators (S-1-5-32-552) -> Replicators
request done: ld 0x555555c881e0 msgid 11
Users (S-1-5-32-545) -> 15000
LINUX-SRV: #

LINUX-SRV: # getent group
at:!:25:
..............
..............
domadmin:x:114:
root:x:0:
...............
..............
users:x:100:
+::0:
request done: ld 0x618d10 msgid 1
Domain Admins:*:512:root,user_admin
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
request done: ld 0x618d10 msgid 2
LINUX-SRV: #

LINUX-SRV: # uname -r
2.6.22.18-0.2-default
LINUX-SRV: #

LINUX-SRV: # rpm -qa | grep samba
samba-3.2.0-24.1.123
samba-client-3.2.0-24.1.123
samba-doc-3.2.0-24.1.123
samba-krb-printing-3.2.0-24.1.123
yast2-samba-client-2.15.11-33
samba-winbind-32bit-3.0.26a-3.7
yast2-samba-server-2.15.7-57
samba-python-3.0.26a-3.7
samba-devel-3.2.0-24.1.123
kdebase3-samba-3.5.7-87.5
samba-winbind-3.2.0-24.1.123
samba-client-32bit-3.0.26a-3.7
LINUX-SRV: #

LINUX-SRV:~ # rpm -qa | grep ldap
openldap2-2.3.41-1.1
openldap2-client-2.3.41-2.1
perl-ldap-0.33-81
nss_ldap-257-17
pam_ldap-184-48
perl-ldap-ssl-0.33-81
nss_ldap-32bit-257-17.1
yast2-ldap-2.15.1-83
openldap2-devel-2.3.41-2.1
python-ldap-2.3.1-18
ldapcpplib-0.0.4-95
yast2-ldap-client-2.15.12-37
php5-ldap-5.2.6-0.1
openldap2-client-32bit-2.3.37-20
ldap-account-manager-2.3.0-0.pm.0
yast2-ldap-server-2.15.5-76
pam_ldap-32bit-184-49.1
ldapsmb-1.34b-110.8.123
LINUX-SRV: # net groupmap list

----- Fin du message transf?r? -----

jcdole@free.fr wrote:
> Hello.
> 
> After fresh install.
> 
> Samba and ldap seems to run normally ( I can join win2k workstation to
linux
> samba pdc ).
> 
> Using yast I create a system group named domadmin
> 
> But I am unable to map "Domain Admins" to domadmin
> I am unable to map "Domain Admins" to existing ntadmin group
> 
> I am unable to mofify mapping "Domain Admins" to domadmin group
> 
> Thank you for helping.
> 
> LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=domadmin
> rid=512 type=d
> adding entry for group Domain Admins failed!
> LINUX-SRV: #
> 
> LINUX-SRV: # net groupmap add ntgroup="Domain Admins"
unixgroup=ntadmin rid=512
> type=d
> adding entry for group Domain Admins failed!
> LINUX-SRV: #
> 
> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
> Can't map to an unknown group type.
> LINUX-SRV: #
> 
> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
> type=d
> Could not update group database
> LINUX-SRV: #
> 
> LINUX-SRV:~ net groupmap list
> request done: ld 0x555555c881e0 msgid 1
> request done: ld 0x555555c881e0 msgid 2
> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
Admins
> request done: ld 0x555555c881e0 msgid 3
> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
Users
> request done: ld 0x555555c881e0 msgid 4
> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
Guests
> request done: ld 0x555555c881e0 msgid 5
> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) ->
Domain
> Computers
> request done: ld 0x555555c881e0 msgid 6
> Administrators (S-1-5-32-544) -> Administrators
> request done: ld 0x555555c881e0 msgid 7
> Account Operators (S-1-5-32-548) -> Account Operators
> request done: ld 0x555555c881e0 msgid 8
> Print Operators (S-1-5-32-550) -> Print Operators
> request done: ld 0x555555c881e0 msgid 9
> Backup Operators (S-1-5-32-551) -> Backup Operators
> request done: ld 0x555555c881e0 msgid 10
> Replicators (S-1-5-32-552) -> Replicators
> request done: ld 0x555555c881e0 msgid 11
> Users (S-1-5-32-545) -> 15000
> LINUX-SRV: #
> 
> LINUX-SRV: # getent group
> at:!:25:
> ..............
> ..............
> domadmin:x:114:
> root:x:0:
> ...............
> ..............
> users:x:100:
> +::0:
> request done: ld 0x618d10 msgid 1
> Domain Admins:*:512:root,user_admin
> Domain Users:*:513:
> Domain Guests:*:514:
> Domain Computers:*:515:
> Administrators:*:544:
> Account Operators:*:548:
> Print Operators:*:550:
> Backup Operators:*:551:
> Replicators:*:552:
> request done: ld 0x618d10 msgid 2
It looks like you already have an existing unix group called "Domain 
Admins" being pulled in from ldap.  When that is true, there is no need 
for groupmap and indeed it would appear it is illegal to map a windows 
group that matches an existing unix group to another unix group.

Doug