Samba net group add fails

nickninevah · August 1, 2013, 7:09pm

Hi all. I am creating a samba setup with samba at the PDC.

I have samba up and running. I can join clients to the domain. And user id mapping appears to work fine. The problem is that I do not have any domain groups, and thus can not create group mapping. Specifically, the required, well known groups of “Domain Admins”, “Domain Users” and “Domain Guests” I have tried multiple times to use the net group add command. But it never seems to add the group. Here is output from a typical attempt to add the group. You can see I made multiple attempts. All unsuccessful.


odeon:/home/nicholas/Documents # net rpc group list
Enter root's password:
Administrator
Users
Guests
odeon:/home/nicholas/Documents # net group add "Domain Admins" rid=512 type=d
Enter root's password:
odeon:/home/nicholas/Documents # net rpc group list
Enter root's password:
Administrator
Users
Guests
odeon:/home/nicholas/Documents # net group add "Domain Admins"
Enter root's password:
odeon:/home/nicholas/Documents # net rpc group list
Enter root's password:
Administrator
Users
Guests

I have also tried this with any random group name. From what I can tell, the net group add command just doesn’t work for me. I read the man pages and every documentation I can find. Can someone tell me what I’m doing wrong.

Details follow:

OS: OpenSuse 12.1
Samba: 3.6.3-34.20.1-2989-SUSE-SL12.1-x86_64

Samba Config file


# Samba config file created using SWAT
# from UNKNOWN (127.0.0.1)
# Date: 2013/08/01 09:24:21

[global]
        workgroup = VAHALLA
        map to guest = Bad User
        passdb backend = ldapsam:ldap://odeon.vahalla.org
        printcap name = cups
        add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
        logon script = logon.bat
        logon path = \\%L\profiles\.msprofile
        logon drive = H:
        logon home = \\%L\%U\.9xprofile
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=vahalla,dc=org
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = yes
        ldap suffix = dc=vahalla,dc=org
        ldap timeout = 5
        ldap user suffix = ou=people
        usershare max shares = 100
        idmap config * : backend = ldap:ldap://odeon.vahalla.org
        hosts allow = 127.0.0.1, 192.168.1.0/24
        hosts deny = All
        cups options = raw
        hide files = /*.ini/*.desktop/$RECYCLE.BIN/

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No

[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes

[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/

[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        create mask = 0600
        printable = Yes
        print ok = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin, root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

venzkep · August 2, 2013, 4:27am

On 8/1/2013 12:16 PM, nickninevah wrote:
>
> Hi all. I am creating a samba setup with samba at the PDC.
>
> I have samba up and running. I can join clients to the domain. And
> user id mapping appears to work fine. The problem is that I do not have
> any domain groups, and thus can not create group mapping. Specifically,
> the required, well known groups of “Domain Admins”, “Domain Users” and
> “Domain Guests” I have tried multiple times to use the net group add
> command. But it never seems to add the group. Here is output from a
> typical attempt to add the group. You can see I made multiple attempts.
> All unsuccessful.
>
>
> Code:
> --------------------
>
> odeon:/home/nicholas/Documents # net rpc group list
> Enter root’s password:
> Administrator
> Users
> Guests
> odeon:/home/nicholas/Documents # net group add “Domain Admins” rid=512 type=d
> Enter root’s password:
> odeon:/home/nicholas/Documents # net rpc group list
> Enter root’s password:
> Administrator
> Users
> Guests
> odeon:/home/nicholas/Documents # net group add “Domain Admins”
> Enter root’s password:
> odeon:/home/nicholas/Documents # net rpc group list
> Enter root’s password:
> Administrator
> Users
> Guests
>
>
> --------------------
>
>
> I have also tried this with any random group name. From what I can
> tell, the -net group add- command just doesn’t work for me. I read the
> man pages and every documentation I can find. Can someone tell me what
> I’m doing wrong.
>
> Details follow:
>
> OS: OpenSuse 12.1
> Samba: 3.6.3-34.20.1-2989-SUSE-SL12.1-x86_64
>
> Samba Config file
>
>
<snip>
>
>
nickninevah;

What happens when you specify the unixgroup to map. For example (run as root):


#Map Windows Domain Groups to Unixgroups
net groupmap add rid=512 unixgroup=root type=d ntgroup="Domain Admins"
net groupmap add rid=513 unixgroup=users type=d ntgroup="Domain Users"
net groupmap add rid=514 unixgroup=nobody type=d ntgroup="Domain Guests"

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

kalten · August 2, 2013, 4:36am

Hi nickninevah,

From your smb.conf file content, I see you don’t have set the add group script parameter in the [global] section. In consequence, you cannot add a group to your domain. Set this parameter, and net group add should work. Other parameters that may be relevant to your interest are:

add user script
add user to group script
delete group script
delete user script
delete user from group script
rename user script
set primary group script

An example similar to your case (with a LDAP backend) is available here with a smb.conf.

As a side note, it isn’t recommended to have UNIX users or groups with white spaces. You should instead use net groupmap and set the right SID:


# net getlocalsid VAHALLA
*DOMAINRID*
# net groumap add sid=*DOMAINRID*-512 ntgroup='Domain Admins' unixgroup=ntadmin

EDIT

venzkep use of net groupmap using rid is more elegant than mine.