sgbarrett at eircom.net
2011-Jan-24 17:12 UTC
[Samba] Upgrading from 3.0.23 but group_mapping.tdb is empty on current config
Hi all, I've done a serious amount of reading around this but I still can't figure out the implications of what I'm seeing. I have inherited a CentOS 4 Samba 3.0.23 PDC & file server for 40 hosts that has been through the wars. It is standalone and stable and uses the smbpasswd file authentication backend, however I need to upgrade for Windows 7 support. I intend to build a server from scratch to the latest packages in CentOS 5 (3.3.8), set an identical local SID for the domain name, bring across the smbpasswd file and then migrate to a tdbsam passdb when I am confident that there are no issues. In practically every Samba PDC guide I have read it says that I need to map the Windows domain groups to unix groups. On the current server, the net groupmap list command does not return any output. Running 'strings' against /var/lib/samba/group_mapping.tdb shows the following entries: # strings group_mapping.tdb TDB file &INFO/version BBB0 UNIXGROUP/S-1-5-32-544 Administrators &UNIXGROUP/S-1-5-32-545 Users UNIXGROUP/S-1-5-32-546 Guests &UNIXGROUP/S-1-5-32-547 Power Users &UNIXGROUP/S-1-5-32-548 Account Operators UNIXGROUP/S-1-5-32-549 System Operators BBBP &UNIXGROUP/S-1-5-32-550 Print Operators &UNIXGROUP/S-1-5-32-551 Backup Operators BBBP UNIXGROUP/S-1-5-32-552 Replicators &UNIXGROUP/S-1-5-21-2805943957-1905505361-2100739042-512 Domain Admins &UNIXGROUP/S-1-5-21-2805943957-1905505361-2100739042-513 Domain Users UNIXGROUP/S-1-5-21-2805943957-1905505361-2100739042-514 Domain Guests &UNIXGROUP/S-1-5-21-3753518464-2681452192-3078135741-512 Domain Admins UNIXGROUP/S-1-5-21-3753518464-2681452192-3078135741-513 Domain Users &UNIXGROUP/S-1-5-21-3753518464-2681452192-3078135741-514 Domain Guests &UNIXGROUP/S-1-5-21-4236374240-3432822334-3570386938-512 Domain Admins UNIXGROUP/S-1-5-21-4236374240-3432822334-3570386938-513 Domain Users &UNIXGROUP/S-1-5-21-4236374240-3432822334-3570386938-514 Domain Guests That suggests to me that the group_mapping.tdb file has entries for three different domains for the groups Domain Admins, Domain Users and Domain Guests, but that none of them is my domain. Is this correct? We are not running any other domains here. I also think that I will need to map Windows groups to unix groups on the new server. Will this cause any trouble, given that the Windows machines aren't expecting it? Currently no domain groups are available in Windows. Access to the shares is managed at the Linux filesystem level with 'valid users' flags in the share options. Should I start from scratch with an identical PDC SID, or will that cause other problems? Best regards, Simon Barrett ----------------------------------------------------------------- Find the home of your dreams with eircom net property Sign up for email alerts now http://www.eircom.net/propertyalerts
TAKAHASHI Motonobu
2011-Jan-25 18:52 UTC
[Samba] Upgrading from 3.0.23 but group_mapping.tdb is empty on current config
2011/1/25 <sgbarrett at eircom.net>:> I have inherited a CentOS 4 Samba 3.0.23 PDC & file server for 40 hosts that has been through the wars. ?It is standalone and stable and uses the smbpasswd file authentication backend, however I need to upgrade for Windows 7 support. > > I intend to build a server from scratch to the latest packages in CentOS 5 (3.3.8), set an identical local SID for the domain name, bring across the smbpasswd file and then migrate to a tdbsam passdb when I am confident that there are no issues. > > In practically every Samba PDC guide I have read it says that I need to map the Windows domain groups to unix groups. ?On the current server, the net groupmap list command does not return any output. ?Running 'strings' against /var/lib/samba/group_mapping.tdb shows the following entries:(snip)> That suggests to me that the group_mapping.tdb file has entries for three different domains for the groups Domain Admins, Domain Users and Domain Guests, but that none of them is my domain. Is this correct? We are not running any other domains here.Use tdbdump or such correct tools to look at the contents of tdb files.> On the current server, the net groupmap list command does not return any output.As far as I examined, at Samba 3.0.24 or later, these 3 groups are not pre-defined. If your "current server" means newer Samba 3.3.8 server, it is OK not to return any output.> I also think that I will need to map Windows groups to unix groups on the new server. ?Will this cause any trouble, given that the Windows machines aren't expecting it? ?Currently no domain groups are available in Windows. ?Access to the shares is managed at the Linux filesystem level with 'valid users' flags in the share options.Not required, but is recommended. For example, "domain admins" should be added to local "administrators" on every joined machine. "domian users" should be the primary group of every newly created domain user on Windows's implementation. Not to create these groups will break these compatibilities. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Apparently Analagous Threads
- So no conversion from group_mapping.ldb to group_mapping.tdb?
- First 8 bytes of the value of keys in group_mapping.tdb
- group_mapping.tdb error upon Samba upgrade
- 3.0.0 -> 3.0.1 : group_mapping.tdb perms
- Can not grant SeMachineAccountPrivilege on Debian Etch