Okay, got the answer so I'm just replying so this ends up in the archives for posterity so someone else may might not rack their brains. The following is for mapping a domain group to a local Unix group on a machine running samba in a domain member role.
DOMAIN = MEDITECH MACHINE = PINKFLOYD domain wide admin group = Domain Server Admin Unix user group = wheel 1) Add nested group support in smb.conf and restart: winbind nested groups = yes 2) Create a local SMB group on the machine. net rpc group add "Unix Admins" -L -U PINKFLOYD+root ^^^^^ - Took me a while to realize since root isn't in the domain, I needed to specify the local machine name. 3) Add the domain wide admin group to the new local group: net rpc addmem "Unix Admins" "MEDITECH\Domain Server Admin" -U PINKFLOYD +root 4) Map the new local SMB group to the Unix admin group: net groupmap modify ntgroup="Unix Admins" unixgroup=wheel I hope this helps someone else. It was the creation of the local SMB group that tripped me up the entire time. Thanks, tom On Tue, 2005-09-06 at 21:06 -0400, Tom McLaughlin wrote: > Hi, I have a CentOS 4.1 box at work running Samba 3 which I have added > as a domain member to an existing Windows domain with a Windows PDC. > The box running Samba has no local unix users and groups except for root > and the other builtin accounts. All user authentication is done through > pam_winbind and user information is handled by winbind. What I would > like to do is have users that are members of the Windows domian's Unix > Admin global group gain membership to the local unix wheel group when > they login via ssh to the Linux box. Preferably without needing to > touch the /etc/groups file at all. > > I've read chapters 11 and 12 of the Samba How-To and I tried the > following on the domain member running Samba based on the How-To: > > net groupmap add ntgroup="Unix Admin" unixgroup=wheel > > But when I ssh'ed in as my user who is a member of the Unix Admin group > and run `groups` I do not see myself as a member of the wheel group. I > also can't alter files with wheel write permissions. > > After looking at the output of `net getdomainsid` and `net groupmap > list` (by this time I had already deleted the Unix Admin -> wheel > groupmap) I realized that the SIDs I see in the groupmap list correspond > to the SID of the local machine and not the domain. I also see that > Unix Admin is not even listed as a group when I check the groups on the > machine. > > > [EMAIL PROTECTED] ~]# net getdomainsid > SID for domain PINKFLOYD is: S-1-5-21-3074351591-431869502-3764789074 > SID for domain MEDITECH is: S-1-5-21-1698397751-1239680928-390482200 > > > [EMAIL PROTECTED] ~]# net groupmap list > System Operators (S-1-5-32-549) -> -1 > Domain Admins (S-1-5-21-3074351591-431869502-3764789074-512) -> -1 > Domain Guests (S-1-5-21-3074351591-431869502-3764789074-514) -> -1 > Domain Users (S-1-5-21-3074351591-431869502-3764789074-513) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Backup Operators (S-1-5-32-551) -> -1 > > My question is how should I be going about mapping my domain group > members so they gain membership to a local Unix group while they're > logged in? I've read the chapters in the How-To but I'm definitely > missing something. I realize now that I can't simply groupmap "Unix > Admin" to wheel so there must be some intermediate steps in between. > Can someone point me in the right direction? Thanks. > > Tom > > > smb.conf: > > # Global parameters > [global] > workgroup = MEDITECH > server string = Samba Server > security = DOMAIN > password server = meditech3 > log file = /var/log/samba/%m.log > max log size = 50 > name resolve order = lmhosts wins bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > os level = 0 > preferred master = No > local master = No > domain master = No > dns proxy = No > wins server = lb:172.30.48.2, canton:172.30.16.2 > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template homedir = /home/%U > template shell = /bin/bash > winbind separator = + > winbind use default domain = Yes > cups options = raw > > [homes] > comment = Home Directories > read only = No > browseable = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [public] > comment = Public Stuff > path = /var/samba/public > write list = "@Domain Server Admin" > guest ok = Yes > > > -- > BSD# Project - Mono on FreeBSD > http://www.mono-project.com/Mono:FreeBSD > -- BSD# Project - Mono on FreeBSD http://www.mono-project.com/Mono:FreeBSD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba