Map Windows NT Groups to UNIX Groups

kenji1903 · 07-21-2004, 10:53 PM

Code:

#!/bin/bash
#
# initGrps.sh
#

# Create UNIX groups
groupadd acctsdep
groupadd finsrvcs

# Map Windows Domain Groups to UNIX groups
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

# Add Functional Domain Groups
net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d

# Map Windows NT machine local groups to local UNIX groups
net groupmap modify ntgroup="Administrators" unixgroup=sys
net groupmap modify ntgroup="Users" unixgroup=public
net groupmap modify ntgroup="Guests" unixgroup=nobody
net groupmap modify ntgroup="System Operators" unixgroup=daemon
net groupmap modify ntgroup="Account Operators" unixgroup=wheel
net groupmap modify ntgroup="Backup Operators" unixgroup=bin
net groupmap modify ntgroup="Print Operators" unixgroup=lp
net groupmap modify ntgroup="Replicators" unixgroup=kmem
net groupmap modify ntgroup="Power Users" unixgroup=ntadmin

6. Q: Why must I map Windows Domain Groups to UNIX groups?
A: Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are: Domain Guests, Domain Users, Domain Admins.

I got this snippet from www.samba.org, entitled "Samba-3 by Example"

I manage to get Samba working with domain logons without running anything from above, is it related?

MS3FGX · 07-22-2004, 01:59 AM

You only need to do that if you want to have your Windows users organized by groups and have group permissions.

kenji1903 · 07-22-2004, 05:45 AM

Thanks for the reply!

Are the last few lines of my /var/log/messages related to this issue?

Code:

Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397) 
Jul 20 15:05:22 redhat32 smbd[4888]:   failed to decode PDU 
Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe_hnd.crocess_request_pdu(605) 
Jul 20 15:05:22 redhat32 smbd[4888]:   process_request_pdu: failed to do schannel processing. 
Jul 20 15:05:23 redhat32 smbd[4888]: [2004/07/20 15:05:23, 0] smbd/service.c:set_current_service(56) 
Jul 20 15:05:23 redhat32 smbd[4888]:   chdir (/home/samba/netlogon) failed 
Jul 20 15:05:24 redhat32 smbd[4888]: [2004/07/20 15:05:24, 0] smbd/service.c:set_current_service(56) 
Jul 20 15:05:24 redhat32 smbd[4888]:   chdir (/home/samba/netlogon) failed 
Jul 20 15:05:33 redhat32 smbd[4888]: [2004/07/20 15:05:33, 0] rpc_server/srv_util.c:get_domain_user_groups(376) 
Jul 20 15:05:33 redhat32 smbd[4888]:   get_domain_user_groups: primary gid of user [redhat32admin] is not a Domain group ! 
Jul 20 15:05:33 redhat32 smbd[4888]:   get_domain_user_groups: You should fix it, NT doesn't like that

kenji1903 · 07-24-2004, 10:13 PM

*bump*

Medievalist · 10-16-2007, 11:52 AM

Map the group the log is whinging about, and you will not only eliminate that error message, you will significantly speed up the login process for the client machine.