LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Map Windows NT Groups to UNIX Groups - why? (http://www.linuxquestions.org/questions/linux-networking-3/map-windows-nt-groups-to-unix-groups-why-208116/)

kenji1903 07-21-2004 11:53 PM

Map Windows NT Groups to UNIX Groups - why?
 
Code:

#!/bin/bash
#
# initGrps.sh
#

# Create UNIX groups
groupadd acctsdep
groupadd finsrvcs

# Map Windows Domain Groups to UNIX groups
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

# Add Functional Domain Groups
net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d

# Map Windows NT machine local groups to local UNIX groups
net groupmap modify ntgroup="Administrators" unixgroup=sys
net groupmap modify ntgroup="Users" unixgroup=public
net groupmap modify ntgroup="Guests" unixgroup=nobody
net groupmap modify ntgroup="System Operators" unixgroup=daemon
net groupmap modify ntgroup="Account Operators" unixgroup=wheel
net groupmap modify ntgroup="Backup Operators" unixgroup=bin
net groupmap modify ntgroup="Print Operators" unixgroup=lp
net groupmap modify ntgroup="Replicators" unixgroup=kmem
net groupmap modify ntgroup="Power Users" unixgroup=ntadmin

6. Q: Why must I map Windows Domain Groups to UNIX groups?
A: Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are: Domain Guests, Domain Users, Domain Admins.

I got this snippet from www.samba.org, entitled "Samba-3 by Example"

I manage to get Samba working with domain logons without running anything from above, is it related?

MS3FGX 07-22-2004 02:59 AM

You only need to do that if you want to have your Windows users organized by groups and have group permissions.

kenji1903 07-22-2004 06:45 AM

Thanks for the reply! :)

Are the last few lines of my /var/log/messages related to this issue?


Code:

Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
Jul 20 15:05:22 redhat32 smbd[4888]:  failed to decode PDU
Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe_hnd.crocess_request_pdu(605)
Jul 20 15:05:22 redhat32 smbd[4888]:  process_request_pdu: failed to do schannel processing.
Jul 20 15:05:23 redhat32 smbd[4888]: [2004/07/20 15:05:23, 0] smbd/service.c:set_current_service(56)
Jul 20 15:05:23 redhat32 smbd[4888]:  chdir (/home/samba/netlogon) failed
Jul 20 15:05:24 redhat32 smbd[4888]: [2004/07/20 15:05:24, 0] smbd/service.c:set_current_service(56)
Jul 20 15:05:24 redhat32 smbd[4888]:  chdir (/home/samba/netlogon) failed
Jul 20 15:05:33 redhat32 smbd[4888]: [2004/07/20 15:05:33, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
Jul 20 15:05:33 redhat32 smbd[4888]:  get_domain_user_groups: primary gid of user [redhat32admin] is not a Domain group !
Jul 20 15:05:33 redhat32 smbd[4888]:  get_domain_user_groups: You should fix it, NT doesn't like that


kenji1903 07-24-2004 11:13 PM

*bump*

Medievalist 10-16-2007 12:52 PM

Yes, that's the "NT doesn't like that" error.
 
Map the group the log is whinging about, and you will not only eliminate that error message, you will significantly speed up the login process for the client machine.


All times are GMT -5. The time now is 03:46 PM.