I created the well known group Domain Admins pointing to a local group, but I am not able to add users to the group -- it claims I can only add users to local or global groups... But I only see local, domain ,well-known, builtin. There are no global groups unless one would include all groups that are not local (i.e. domain, well-known, and builtin).... So why doesn't it want to let me add to my domain admins group when it is defined as a well known group (which it is, according to MS)...
Linda Walsh
2011-Sep-10 02:49 UTC
[Samba] Can't add users to well known groups...code patch (quick hack/commented out problem code seems to fix)...
Well, this code patch seems to fix the problem with my missing groups... Seems like because they were declared as well known groups (Domain Admins, Domain Users...etc.) They weren't being listed... Seems a bit odd for a PDC to not list well known groups... no? It looks like the code was intended to prevent people from using the BUILTIN groups -- which doesn't seem to make alot of sense either. Can someone clarify why we shouldn't be able to add/subtract from well known or builtin groups? MS publishes a list of well known groups that most domains would expect to have, but when I tried to add them to my domain, they all became unlistable and unusable. Color me confused? -linda Linda Walsh wrote:> I created the well known group Domain Admins pointing to a local group, > but I am not able to add users to the group -- it claims I can only > add users to > local or global groups... > > But I only see local, domain ,well-known, builtin. > > There are no global groups unless one would include all groups that are > not local (i.e. domain, well-known, and builtin).... > > So why doesn't it want to let me add to my domain admins group when it is > defined as a well known group (which it is, according to MS)... >--- net_sam.c 2011-08-03 11:24:05.000000000 -0700 +++ net_sam.c 2011-09-09 19:27:39.190245264 -0700 @@ -1208,7 +1208,7 @@ } } - if ((grouptype == SID_NAME_ALIAS) || (grouptype == SID_NAME_WKN_GRP)) { + if ((grouptype == SID_NAME_ALIAS) ) { if ((membertype != SID_NAME_USER) && (membertype != SID_NAME_DOM_GRP)) { d_fprintf(stderr, _("%s is a local group, only users " @@ -1224,7 +1224,7 @@ "with %s\n"), nt_errstr(status)); return -1; } - } else if (grouptype == SID_NAME_DOM_GRP) { + } else if (grouptype == SID_NAME_DOM_GRP || grouptype == SID_NAME_WKN_GRP) { uint32_t grouprid, memberrid; sid_peek_rid(&group, &grouprid); @@ -1284,8 +1284,7 @@ } } - if ((grouptype == SID_NAME_ALIAS) || - (grouptype == SID_NAME_WKN_GRP)) { + if (grouptype == SID_NAME_ALIAS) { status = pdb_del_aliasmem(&group, &member); if (!NT_STATUS_IS_OK(status)) { @@ -1293,7 +1292,7 @@ "with %s\n"), nt_errstr(status)); return -1; } - } else if (grouptype == SID_NAME_DOM_GRP) { + } else if (grouptype == SID_NAME_DOM_GRP || SID_NAME_WKN_GRP) { uint32_t grouprid, memberrid; sid_peek_rid(&group, &grouprid); @@ -1349,8 +1348,7 @@ return -1; } - if ((grouptype == SID_NAME_ALIAS) || - (grouptype == SID_NAME_WKN_GRP)) { + if (grouptype == SID_NAME_ALIAS) { status = pdb_enum_aliasmem(&group, talloc_tos(), &members, &num_members); if (!NT_STATUS_IS_OK(status)) { --- net_groupmap.c 2011-08-03 11:24:05.000000000 -0700 +++ net_groupmap.c 2011-09-09 19:30:32.840929705 -0700 @@ -444,12 +444,12 @@ return -1; } - if (map.sid_name_use == SID_NAME_WKN_GRP) { + /*if (map.sid_name_use == SID_NAME_WKN_GRP) { d_fprintf(stderr, _("You can only change between domain and local " "groups.\n")); return -1; - } + }*/ map.sid_name_use=sid_type; @@ -630,13 +630,15 @@ /* Now we have a mapping entry, update that stuff */ if ( c->opt_localgroup || c->opt_domaingroup ) { - if (map.sid_name_use == SID_NAME_WKN_GRP) { + /* + * f (map.sid_name_use == SID_NAME_WKN_GRP) { d_fprintf(stderr, _("Can't change type of the BUILTIN " "group %s\n"), map.nt_name); return -1; } + */ } if (c->opt_localgroup)
On 15:48:09 wrote Linda Walsh:> I created the well known group Domain Admins pointing to a local > group, but I am not able to add users to the group -- it claims I > can only add users to > local or global groups... > > But I only see local, domain ,well-known, builtin. > > There are no global groups unless one would include all groups that > are not local (i.e. domain, well-known, and builtin).... > > So why doesn't it want to let me add to my domain admins group when > it is defined as a well known group (which it is, according to > MS)...Nobody may be able to answer your questions, if you dont give us some background information! something like: which samba version which sam, ldapsam or tdbsam do you use winbind your global section of samba conf the commands you have used which well knwon groups you have cureently -- regards Harry Jede
Fran?ois Legal wrote:> > Not sure if this is relevant, but if (first case shown down here) > "Domain Admins" is not so much a group but a map to unix group, I'm > not surprised that you can't add users to this using sambe. I would > rather use /etc/group or whatever to add users to the unix group mapped >Good point, 2 things: 1) My userid/login 'should' already be listed in the group, (as it IS in /etc/group), but wins doesn't return the members that SHOULD be listed in the group). 2) It is has scripts to modify users, groups and machines... (add & delete), in a most primitive form, it could delete group/ re-add group w/new member list. --- It just occurred to me, that maybe it's confusing itself -- in that, currently, Samba mangles the casename of groups/users to lower case and hosts/domains to upper case. Current versions of windows don't do this -- they ignore but preserve case (unless there is some pre-existing copy of the name already in some other 'case', in which case it will convert your typed input into the 'pre-existing copy'. But unix/linux not only doesn't change case, it doesn't ignore them either, so if it took something like Domain Admins, and changed it to 'domain admins', it wouldn't match the group name when it tried to look it up. Nevertheless, the lookup problem, was definitely caused by code that in the patched files files that tells it not to deal with 'well known groups' -- regardless if they are mappings or not...