samba - unable to map windows to unix groups

Hello.

After fresh install.

Samba and ldap seems to run normally ( I can join win2k workstation to linux samba pdc ).

Using yast I create a system group named domadmin

But I am unable to map “Domain Admins” to domadmin
I am unable to map “Domain Admins” to existing ntadmin group

I am unable to mofify mapping “Domain Admins” to domadmin group

Thank you for helping.

LINUX-SRV: # net groupmap add ntgroup=“Domain Admins” unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap add ntgroup=“Domain Admins” unixgroup=ntadmin rid=512
type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup=“Domain Admins” unixgroup=domadmin
Can’t map to an unknown group type.
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup=“Domain Admins” unixgroup=domadmin type=d
Could not update group database
LINUX-SRV: #

LINUX-SRV: # net groupmap list
request done: ld 0x555555c881e0 msgid 1
request done: ld 0x555555c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain Admins
request done: ld 0x555555c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users
request done: ld 0x555555c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain Guests
request done: ld 0x555555c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x555555c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x555555c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x555555c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: ld 0x555555c881e0 msgid 9
Backup Operators (S-1-5-32-551) -> Backup Operators
request done: ld 0x555555c881e0 msgid 10
Replicators (S-1-5-32-552) -> Replicators
request done: ld 0x555555c881e0 msgid 11
Users (S-1-5-32-545) -> 15000
LINUX-SRV: #

LINUX-SRV: # getent group
at:!:25:


domadmin:x:114:
root:x:0:


users:x:100:
+::0:
request done: ld 0x618d10 msgid 1
Domain Admins::512:root,user_admin
Domain Users:
:513:
Domain Guests::514:
Domain Computers:
:515:
Administrators::544:
Account Operators:
:548:
Print Operators::550:
Backup Operators:
:551:
Replicators:*:552:
request done: ld 0x618d10 msgid 2
LINUX-SRV: #

LINUX-SRV: # uname -r
2.6.22.18-0.2-default
LINUX-SRV: #

LINUX-SRV: # rpm -qa | grep samba
samba-3.2.0-24.1.123
samba-client-3.2.0-24.1.123
samba-doc-3.2.0-24.1.123
samba-krb-printing-3.2.0-24.1.123
yast2-samba-client-2.15.11-33
samba-winbind-32bit-3.0.26a-3.7
yast2-samba-server-2.15.7-57
samba-python-3.0.26a-3.7
samba-devel-3.2.0-24.1.123
kdebase3-samba-3.5.7-87.5
samba-winbind-3.2.0-24.1.123
samba-client-32bit-3.0.26a-3.7
LINUX-SRV: #

LINUX-SRV: # rpm -qa | grep ldap
openldap2-2.3.41-1.1
openldap2-client-2.3.41-2.1
perl-ldap-0.33-81
nss_ldap-257-17
pam_ldap-184-48
perl-ldap-ssl-0.33-81
nss_ldap-32bit-257-17.1
yast2-ldap-2.15.1-83
openldap2-devel-2.3.41-2.1
python-ldap-2.3.1-18
ldapcpplib-0.0.4-95
yast2-ldap-client-2.15.12-37
php5-ldap-5.2.6-0.1
openldap2-client-32bit-2.3.37-20
ldap-account-manager-2.3.0-0.pm.0
yast2-ldap-server-2.15.5-76
pam_ldap-32bit-184-49.1
ldapsmb-1.34b-110.8.123
LINUX-SRV: #

jcdole wrote:

>
> Hello.
>
> After fresh install.
>
> Samba and ldap seems to run normally ( I can join win2k workstation to
> linux samba pdc ).
>
> Using yast I create a system group named domadmin
>
> But I am unable to map “Domain Admins” to domadmin
> I am unable to map “Domain Admins” to existing ntadmin group
>
> I am unable to mofify mapping “Domain Admins” to domadmin group
>
> Thank you for helping.
>
> LINUX-SRV: # net groupmap add ntgroup=“Domain Admins”
> unixgroup=domadmin
> rid=512 type=d

<snip by PV>

jcdole

You might try reformatting as:

net groupmap add rid=512 unixgroup=domadmin type=d ntgroup=“Domain Admins”

and be sure you are running the command as root.

I’m not real optimistic that the reformatting will help, but it is worth a
try. This order has worked for me.


P. V.
“We have met the enemy an he is us” Pogo

Hi.

Sorry does not help.

please help.

Any idea .

jcdole wrote:

>
> please help.
>
> Any idea .
>
>
jcdole;

From the output of “netgroup map list” and it appears to me that you have
already mapped the ntgroup “Domain Admins” to a unixgroup of the same name.
Try using “net groupmap modify”
(e.g. net groupmap modify ntgroup=“Domain Admins” unixgroup=domadmin)
It looks like you are trying to map the same ntgroup to two different unixgroups
(i.e. Domain Admins and domadmin) and as far as I know that does not work.

P. V.
Only fools rush in where angels fear to tread.

PV wrote:

> jcdole wrote:
>
>>
>> please help.
>>
>> Any idea .
>>
>>
> jcdole;
>
> From the output of “netgroup map list” and it appears to me that you have
> already mapped the ntgroup “Domain Admins” to a unixgroup of the same name.
> Try using “net groupmap modify”
> (e.g. net groupmap modify ntgroup=“Domain Admins” unixgroup=domadmin)
> It looks like you are trying to map the same ntgroup to two different
> unixgroups (i.e. Domain Admins and domadmin) and as far as I know that does
> not work.
OOPS I see you tried this, did you run the command as root?

P. V.
Only fools rush in where angels fear to tread.

jcdole wrote:

>
> please help.
>
> Any idea .
>
>
One more thought. The groupmap is saved in the
file /var/lib/samba/group_mapping.[tdb|ldb]. If you renamed that file, it is
possible that you could start over with your groupmap. Try renaming it, run
net groupmap list to see if you have indeed erased your group maps and if so
try re-adding them. To be on the safe side stop smbd while you do this. If it
doesn’t work you can always restore your old groupmap.

P. V.
Only fools rush in where angels fear to tread.

Hi.

No there is no unix group named “Domain Admins”.

The two existing unix groups are :
ntadmin ( GID : 71 ) which is native system group
domadmin ( GID : 114 ) which is system group added by hand by myself

jcdole wrote:

>
> Hi.
>
> No there is no unix group named “Domain Admins”.
>
> The two existing unix groups are :
> ntadmin ( GID : 71 ) which is native system group
> domadmin ( GID : 114 ) which is system group added by hand by myself
>
>
What am I seeing here than?

>LINUX-SRV: # getent group
>at:!:25:
>…
>…
domadmin:x:114:
>root:x:0:
>…
>…
>users:x:100:
>+::0:
>request done: ld 0x618d10 msgid 1
>Domain Admins::512:root,user_admin
>Domain Users:
:513:
<snip>
>Replicators:*:552:
>request done: ld 0x618d10 msgid 2
>LINUX-SRV: #

And again here?
>LINUX-SRV: # net groupmap list
>request done: ld 0x555555c881e0 msgid 1
>request done: ld 0x555555c881e0 msgid 2
>Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
>Admins
>request done: ld 0x555555c881e0 msgid 3
<snip>

P. V.
Only fools rush in where angels fear to tread.

PV wrote:

> jcdole wrote:
>
>>
>> Hi.
>>
>> No there is no unix group named “Domain Admins”.
<snip>
I miss read again. But if you look at “Samba3 by Example” Section 5.4.5 pg 183
you will see this quote.

At this time, Samba-3 requires that on a PDC all UNIX (POSIX)
group accounts that are mapped (linked) to Windows domain group
accounts must be in the LDAP database. It does not hurt to have
UNIX user and group accounts in both the system les as well as
in the LDAP database. From a UNIX system perspective, the NSS
resolver checks system les before referring to LDAP. If the UNIX
system can resolve ( nd) an account in the system le, it does not
need to ask LDAP.

Best I can do for you.


P. V.
Only fools rush in where angels fear to tread.