Re: [Samba] BUILTIN groups mapping via winbind!!

Thu, 01 Nov 2007 06:02:26 -0800 

Hi Herman.
This is really a helpful information, but i am not able to understand why in built group we cant see a mapping for a normal user, as if we look Builtin is also a OU and we have some Builtin users and groups in it. 


If i create a OU and groups or users in it than i can see all those but 
just not with Buitin.


Feel free to correct me, if you find i am wrong.


Thanks for your interest in this. 


Regards,
Kaustubh.


herman wrote:

Kaustubh Chaudhari wrote:

     Hi all,

   When i create a group in AD and adds users in the same than with
   #getent group i can see the group and its members properly.


   But if i add a user to BUILTIN say BUILTIN Guests group than i 
dont see

   its members.
   ==
    kktest:x:10026:kk,Administrator
    BUILTIN+Guests:x:10019:
   ==


   Here i have added kk user to both kktest and BUILTIN+Guests group. 
But i

   cant see kk associated with BUILTIN Guests.

   I know that BUILTIN groups have pre defined sid by microsoft, and its
   mapping is done separately.(I found this in idmap.c)

   Is this a normal behavior?

   Would appreciate if someone can explain the reasons for this.

   Regards,
   Kaustubh.

In general you need to define an Organizational Unit (OU), then define 
your groups and users inside that OU.  It should then show up with 
Samba winbind.


Some don'ts:
Don't rename anything.
Don't drag and drop anything from one OU to another OU.
Don't make a user in one OU a member of a group in another OU.
It is even not a good idea to delete anything.

If you need to fix a typing mistake, define a new record - don't try 
to edit the mistake.

Make frequent backups of ADS.

Some dos:
Apply security policies to OUs, not to users.
Run ADS on VMware, so that you can take snapshots as backups.


The reason for the above cautions is that ADS (mostly) work using the 
GUIDs, while Samba uses the text strings. So you don't want to get in 
a situation where ADS re-use an old GUID and changes to text strings 
are applied inconsistently, which confuses winbind, so changing any 
text string after it has been defined can also screw things up.


'Hope that helps!

Herman


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to