Okay, got the answer so I'm just replying so this ends up in the
archives for posterity so someone else may might not rack their brains.
The following is for mapping a domain group to a local Unix group on a
machine running samba in a domain member role.
DOMAIN = MEDITECH
MACHINE = PINKFLOYD
domain wide admin group = Domain Server Admin
Unix user group = wheel
1) Add nested group support in smb.conf and restart:
winbind nested groups = yes
2) Create a local SMB group on the machine.
net rpc group add "Unix Admins" -L -U PINKFLOYD+root
^^^^^
- Took me a while to realize since root isn't in the domain, I needed to
specify the local machine name.
3) Add the domain wide admin group to the new local group:
net rpc addmem "Unix Admins" "MEDITECH\Domain Server Admin" -U PINKFLOYD
+root
4) Map the new local SMB group to the Unix admin group:
net groupmap modify ntgroup="Unix Admins" unixgroup=wheel
I hope this helps someone else. It was the creation of the local SMB
group that tripped me up the entire time.
Thanks,
tom
On Tue, 2005-09-06 at 21:06 -0400, Tom McLaughlin wrote:
> Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added
> as a domain member to an existing Windows domain with a Windows PDC.
> The box running Samba has no local unix users and groups except for root
> and the other builtin accounts. All user authentication is done through
> pam_winbind and user information is handled by winbind. What I would
> like to do is have users that are members of the Windows domian's Unix
> Admin global group gain membership to the local unix wheel group when
> they login via ssh to the Linux box. Preferably without needing to
> touch the /etc/groups file at all.
>
> I've read chapters 11 and 12 of the Samba How-To and I tried the
> following on the domain member running Samba based on the How-To:
>
> net groupmap add ntgroup="Unix Admin" unixgroup=wheel
>
> But when I ssh'ed in as my user who is a member of the Unix Admin group
> and run `groups` I do not see myself as a member of the wheel group. I
> also can't alter files with wheel write permissions.
>
> After looking at the output of `net getdomainsid` and `net groupmap
> list` (by this time I had already deleted the Unix Admin -> wheel
> groupmap) I realized that the SIDs I see in the groupmap list correspond
> to the SID of the local machine and not the domain. I also see that
> Unix Admin is not even listed as a group when I check the groups on the
> machine.
>
>
> [EMAIL PROTECTED] ~]# net getdomainsid
> SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074
> SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200
>
>
> [EMAIL PROTECTED] ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1
> Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1
> Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
>
> My question is how should I be going about mapping my domain group
> members so they gain membership to a local Unix group while they're
> logged in? I've read the chapters in the How-To but I'm definitely
> missing something. I realize now that I can't simply groupmap "Unix
> Admin" to wheel so there must be some intermediate steps in between.
> Can someone point me in the right direction? Thanks.
>
> Tom
>
>
> smb.conf:
>
> # Global parameters
> [global]
> workgroup = MEDITECH
> server string = Samba Server
> security = DOMAIN
> password server = meditech3
> log file = /var/log/samba/%m.log
> max log size = 50
> name resolve order = lmhosts wins bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = /etc/printcap
> os level = 0
> preferred master = No
> local master = No
> domain master = No
> dns proxy = No
> wins server = lb:172.30.48.2, canton:172.30.16.2
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template homedir = /home/%U
> template shell = /bin/bash
> winbind separator = +
> winbind use default domain = Yes
> cups options = raw
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [public]
> comment = Public Stuff
> path = /var/samba/public
> write list = "@Domain Server Admin"
> guest ok = Yes
>
>
> --
> BSD# Project - Mono on FreeBSD
> http://www.mono-project.com/Mono:FreeBSD
>
--
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
