-----Messaggio originale----- Da: Rune Tønnesen [mailto:[EMAIL PROTECTED] Inviato: mercoledì 2 maggio 2007 14.51 A: Gianluca Culot Cc: samba@lists.samba.org Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST
Hi Gianluca Do you have more than one password backend e.g. both smbpasswd and tdbsam or ldapsam ? -- Rune Tønnesen Venlig Hilsen/Best Regards >> -----Messaggio originale----- >> Da: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> conto di John H Terpstra >> Inviato: mercoledì 2 maggio 2007 14.07 >> A: samba@lists.samba.org >> Oggetto: Re: [Samba] duplicate group in NET GROUPMAP LIST >> >> >> On Wednesday 02 May 2007 04:58, Gianluca Culot wrote: >> > Hi List >> > >> > I'm experiencing a strange behaviour on my samba server >> > >> > the group "Domain Users" (and other builtin groups from my AD servers) >> > appear to have a duplicated SID >> > >> > here is the output of >> > >> > mail# > net groupmap list >> > System Operators (S-1-5-32-549) -> -1 >> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 >> > Replicators (S-1-5-32-552) -> -1 >> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users >> > Guests (S-1-5-32-546) -> -1 >> > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 >> > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) >> -> nobody >> > Power Users (S-1-5-32-547) -> -1 >> > Print Operators (S-1-5-32-550) -> -1 >> > Administrators (S-1-5-32-544) -> -1 >> > Account Operators (S-1-5-32-548) -> -1 >> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 >> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel >> > Backup Operators (S-1-5-32-551) -> -1 >> > Users (S-1-5-32-545) -> -1 >> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 >> > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 >> > >> > >> > and in /var/log/messages >> > May 2 11:00:05 mail winbindd[23804]: [2007/05/02 11:00:05, 0] >> > sam/idmap_rid.c:rid_idmap_get_id_from_sid(476) >> > May 2 11:00:05 mail winbindd[23804]: rid_idmap_get_id_from_sid: no >> > suitable range available for sid: S-1-5-32-549 >> > >> > which appear to be a group in BUILTIN group from AD server >> > >> > the strange fact is the Domain Users appear to have a TWO sids >> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) >> > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) >> > >> > The first appear to be correctly mapped to the local users group >> > the latter has no mapping (-1) >> > >> > that's to me appeares really odd.... >> > >> > Can somebody explain me this old fact ? >> > >> > My actual Samba server (with smtp, pop3, wibind, sshd, apache21) works >> > perefctly and every user can authenticate correctly on every >> service with >> > his/her own AD domain user and password >> > >> > Any Hint? >> > PLEASE !?! >> >> Execute >> net groupmap cleanup >> >> then reset your mappings. >> >> - John T. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > > Looks loke > net groupmap cleanup > has no effect on my system > > here is the copy of action from my terminal > > mail# /home > net groupmap delete ntgroup="domain users" > Sucessfully removed domain users from the mapping db > > mail# /home > net groupmap list > System Operators (S-1-5-32-549) -> -1 > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 > > mail# /home > net groupmap cleanup > Group Domain Guests is not mapped > Group Domain Users is not mapped > Group Domain Admins is not mapped > > mail# /home > net groupmap add ntgroup="Domain Users" unixgroup="users" > type=b > No rid or sid specified, choosing algorithmic mapping > Successfully added group Domain Users to the mapping db > > mail# /home > net groupmap list > System Operators (S-1-5-32-549) -> -1 > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 > Replicators (S-1-5-32-552) -> -1 > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users > Guests (S-1-5-32-546) -> -1 > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) -> nobody > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> wheel > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 > mail# /home > > > Maybe Domain Users is NOT to be mapped ? > is of any use mapping Domain Users and Users ? I would say YES as I want to > set permissions based on AD groups > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > NO Just one password backend at the moment (and I DO not plan to have more than one domain!) my current smb.conf is [global] workgroup = dmsware netbios name = mail #os level = 20 # we will never be master or slave browser as we are on a firewalled net preferred master = no server string = mail.dmsware.it Samba Shares realm = dmsware.it security = ADS password server = orion.dmsware.it winbind cache time = 3600 winbind use default domain = Yes winbind nested groups = Yes # -antares- winbind enum users = Yes # -antares- winbind enum groups = Yes allow trusted domains = Yes #idmap domains = DMSWARE idmap config DMSWARE:backend = rid idmap config DMSWARE:base_rid = 1000 idmap config DMSWARE:range = 10000 - 49999 #idmap backend = idmap_rid:DMSWARE=1000-20000 idmap gid = 10000-49999 idmap uid = 10000-49999 # -antares- winbind uid = 10000-20000 # -antares- winbind gid = 10000-20000 template homedir = /home/%U template shell = /bin/sh # -antares- template primary group = "Domain Users" syslog only = Yes # -antares- log file = /var/log/samba/log.%m encrypt passwords = yes add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/pw groupdel %g add user script = /usr/sbin/pw useradd %u delete user script = /usr/sbin/pw userdel %u Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba