On Wednesday 02 May 2007 10:21, Gianluca Culot wrote: > > -----Messaggio originale----- > > Da: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > conto di Gianluca Culot > > Inviato: mercoledì 2 maggio 2007 15.09 > > A: samba@lists.samba.org > > Oggetto: R: R: [Samba] duplicate group in NET GROUPMAP LIST > > > > > -----Messaggio originale----- > > > Da: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > > conto di John H Terpstra > > > Inviato: mercoledì 2 maggio 2007 14.56 > > > A: samba@lists.samba.org > > > Oggetto: Re: R: [Samba] duplicate group in NET GROUPMAP LIST > > > > > > On Wednesday 02 May 2007 07:40, Gianluca Culot wrote: > > > > ... > > > > > > > > > > the strange fact is the Domain Users appear to have a TWO sids > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) > > > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) > > > > > > > > > > > > The first appear to be correctly mapped to the local users group > > > > > > the latter has no mapping (-1) > > > > > > > > > > > > that's to me appeares really odd.... > > > > > > > > > > > > Can somebody explain me this old fact ? > > > > > > > > > > > > My actual Samba server (with smtp, pop3, wibind, sshd, > > > > > > apache21) works > > > > > > > > > perefctly and every user can authenticate correctly on every > > > > > > > > > > service with > > > > > > > > > > > his/her own AD domain user and password > > > > > > > > > > > > Any Hint? > > > > > > PLEASE !?! > > > > > > > > > > Execute > > > > > net groupmap cleanup > > > > > > > > > > then reset your mappings. > > > > > > > > > > - John T. > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read the > > > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > > > Looks loke > > > > net groupmap cleanup > > > > has no effect on my system > > > > > > > > here is the copy of action from my terminal > > > > > > > > mail# /home > net groupmap delete ntgroup="domain users" > > > > Sucessfully removed domain users from the mapping db > > > > > > > > mail# /home > net groupmap list > > > > System Operators (S-1-5-32-549) -> -1 > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 > > > > Replicators (S-1-5-32-552) -> -1 > > > > Guests (S-1-5-32-546) -> -1 > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) > > > > > > -> nobody > > > > > > > Power Users (S-1-5-32-547) -> -1 > > > > Print Operators (S-1-5-32-550) -> -1 > > > > Administrators (S-1-5-32-544) -> -1 > > > > Account Operators (S-1-5-32-548) -> -1 > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> > > > > wheel Backup Operators (S-1-5-32-551) -> -1 > > > > Users (S-1-5-32-545) -> -1 > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 > > > > > > > > mail# /home > net groupmap cleanup > > > > Group Domain Guests is not mapped > > > > Group Domain Users is not mapped > > > > Group Domain Admins is not mapped > > > > > > > > mail# /home > net groupmap add ntgroup="Domain Users" > > > > unixgroup="users" > > > > > > type=b > > > > No rid or sid specified, choosing algorithmic mapping > > > > Successfully added group Domain Users to the mapping db > > > > > > > > mail# /home > net groupmap list > > > > System Operators (S-1-5-32-549) -> -1 > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-514) -> -1 > > > > Replicators (S-1-5-32-552) -> -1 > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users > > > > Guests (S-1-5-32-546) -> -1 > > > > BUILTIN (S-1-5-21-531635747-2076120898-3807014553-2001) -> 500 > > > > Domain Guests (S-1-5-21-531635747-2076120898-3807014553-132069) > > > > > > -> nobody > > > > > > > Power Users (S-1-5-32-547) -> -1 > > > > Print Operators (S-1-5-32-550) -> -1 > > > > Administrators (S-1-5-32-544) -> -1 > > > > Account Operators (S-1-5-32-548) -> -1 > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-3001) -> 1000 > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-1001) -> > > > > wheel Backup Operators (S-1-5-32-551) -> -1 > > > > Users (S-1-5-32-545) -> -1 > > > > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 > > > > Domain Admins (S-1-5-21-531635747-2076120898-3807014553-512) -> -1 > > > > mail# /home > > > > > > > > > Maybe Domain Users is NOT to be mapped ? > > > > is of any use mapping Domain Users and Users ? I would say YES > > > > > > as I want to > > > > > > > set permissions based on AD groups > > > > > > What version of Samba do you have? > > > > > > For now, stop Samba, remove the group_mapping,tdb file, then remap your > > > groups. In the long run suggest you update to the latest release. > > > > > > - John T. > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > Sorry... I forgot > > > > I'm running Samba 3.0.14a > > > > mail# /home > pkg_info | grep samba > > samba-3.0.14a_1,1 A free SMB and CIFS client and server for UNIX > > > > here is the smb.conf > > [global] > > > > workgroup = dmsware > > netbios name = mail > > #os level = 20 # we will never be master or slave > > browser as > > we are on a firewalled net > > preferred master = no > > server string = mail.dmsware.it Samba Shares > > > > realm = dmsware.it > > security = ADS > > password server = orion.dmsware.it > > > > winbind cache time = 3600 > > winbind use default domain = Yes > > winbind nested groups = Yes > > # -antares- winbind enum users = Yes > > # -antares- winbind enum groups = Yes > > > > allow trusted domains = Yes > > #idmap domains = DMSWARE > > idmap config DMSWARE:backend = rid > > idmap config DMSWARE:base_rid = 1000 > > idmap config DMSWARE:range = 10000 - 49999 > > > > #idmap backend = idmap_rid:DMSWARE=1000-20000 > > > > idmap gid = 10000-49999 > > idmap uid = 10000-49999 > > # -antares- winbind uid = 10000-20000 > > # -antares- winbind gid = 10000-20000 > > > > template homedir = /home/%U > > template shell = /bin/sh > > # -antares- template primary group = "Domain Users" > > syslog only = Yes > > # -antares- log file = /var/log/samba/log.%m > > > > encrypt passwords = yes > > > > add group script = /usr/sbin/groupadd %g > > delete group script = /usr/sbin/pw groupdel %g > > add user script = /usr/sbin/pw useradd %u > > delete user script = /usr/sbin/pw userdel %u > > > > > > My current configuration is > > > > FreeBsd 6 > > Samba 3.0.14a > > Dovecot 1.0.0 > > postfix 2.3.5 > > cyrus-sasl 2.1.22 with saslAuth > > openssl 0.9.7i stable > > > > currently the system is serving as > > authenticated SMTP/pop3 > > Webmail > > File Server (samba is both used for authentication and file sharing) for > > file-retrivial from client ftp uploads > > > > I'm not again patching... but as everything works fine... and the > > system is > > critical... > > > > Thanks for your time > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > After some analisys > > look like Samba is not going to resolve / map groups from SID 512 to 999 > manual mapping (net groupmap add) causes a sort duplication > I mean > Domain Users (S-1-5-21-531635747-2076120898-3807014553-513) -> -1 > is not mapped > > but if I issue > net groupmap add ntgroup="Domain Users" unixgroup="users" type=d > > this results in > > net groupmap list > Domain Users (S-1-5-21-531635747-2076120898-3807014553-2801) -> users > > looks like Samba created another Domain Users group in AD. > Yet... no other group is created > and trying to resolve the given SID results in error > > wbinfo -S S-1-5-21-531635747-2076120898-3807014553-2801 > Could not convert sid S-1-5-21-531635747-2076120898-3807014553-2801 to uid > > Am I missing something... ???
Yes - you are! Do NOT add a second NT Group - ever! The "net groupmap modify" was introduced in one of the recent releases. Suggest you update if you can. Delete the group_mapping.tdb again, and this time MODIFY the group that is created bu 3.0.14 as follows: net groupmap modify ntgroup="Domain Users" unixgroup="users" - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba