On Mon, 22 Dec 2003, [UTF-8] StÃphane Purnelle wrote:Ok, but
Why you use net groupmap modify, if the first groupmapping of root group, I must use $ net groupmap add sid=S-1-5-21-3186189368-1246494298-1334198317-512 ntgroup="Domain Users" unixgroup=root type=domain
If it don't work, I think you can put a bug in bugzilla.
Precisely what is the bug?
Domain Users should have RID=513, not 512. RID=512 is Domain Admins
If you want to change the RID you will have to delete the group and re-add it.
Please help me to userstand: 1. How was the NT Group created? - If LDAP backend then you created it manually - If tdbsam backend, it is auto-created 2. How did it get to the setting you have now
Using LDAP backend I just did the following:
smbldap-groupadd.pl -g 560 -t domain -r 560 sammy net groupmap list
Domain Admins (S-1-5-21-3504140859-1010554828-2431957765-512) -> Domain Admins Domain Users (S-1-5-21-3504140859-1010554828-2431957765-513) -> Domain Users Domain Guests (S-1-5-21-3504140859-1010554828-2431957765-514) -> Domain Guests Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps sammy (S-1-5-21-3504140859-1010554828-2431957765-560) -> sammy
Using tdbsam backend I just did:
groupadd sammy net groupmap add ntgroup="Domain Sammy" unixgroup=sammy type=d rid=560 net groumap list
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody Domain Sammy (S-1-5-21-1593769616-160655940-3590153233-560) -> sammy Power Users (S-1-5-32-547) -> -1 Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Think about this. If you have entries for a group that has the wrong RID, there are lots of mapping entries for this in: group_mapping.tdb (if not using LDAP) winbindd_cachine.tdb winbindd_idmap.tdb LDAP
To intelligently change a RID, Samba will need to search for all occurances of the RID and change it. There is a large element of risk of loss o data consistency while that change is happening. The safest strategy is to delete a bad entry and then re-add it correctly.
Now check this (with tdbsam):
net groupmap delete ntgroup="Domain Users" net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> -1 Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> root Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody Power Users (S-1-5-32-547) -> -1 Master (S-1-5-21-1593769616-160655940-3590153233-2001) -> master Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Users (S-1-5-21-1593769616-160655940-3590153233-1201) -> users Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Notice that Domain Uses is automatically added by the tdbsam backend!
That is why you can not remap the RID for the well-known groups.
With an LDAP backend:
net groupmap delete ntgroup="Domain Users" net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513
This works fine. The LDAP backend does NOT auto-add the well known groups. But you cannot change the RID once it is added. You can delete a group mapping and then re-add it.
So precisely, what is the bug? I have seen the head-banging over the week-end and still do not understand what the problem is.
- John T.
# net groupmap modify ntgroup="Domain Users" unixgroup=root net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed. Aborted [EMAIL PROTECTED] migration]# net groupmap modify sid=S-1-5-21-3186189368-1246494298-1334198317-512 ntgroup="Domain Users" unixgroup=root type=domain net: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed.
Calling net groupmap modify, with no existing mapping is a user/administrator error
Butn these messages not help the user.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
