LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba Domain Admins and Group Mapping (https://www.linuxquestions.org/questions/linux-server-73/samba-domain-admins-and-group-mapping-762900/)

Lee_Ball 10-19-2009 03:18 AM
Samba Domain Admins and Group Mapping
 
Got an odd issue which I think it down to me making a mistake, anyway. Got Samba setup as a PDC and root is mapped to Administrator as normal.

Now, when I add a computer to the domain I normally have to then add the Domain Admins account or the Domain Administrator account itself to the Local Administrators group.

Thats fine, I'd prefer not to have to do this but its not such a hardship once its done. The problem I have is that the Domain Admins group appears to actually be mapped to my Administrator/Root account. So basically I type Domain Admins into the Add User to Group screen and once I've applied it, I can see on screen its actually resolved it to the root account.

I may have gotten my group mappings incorrect, here is what I think you may need:

net groupmap list
Domain Users (S-1-5-21-1184068300-3041206941-2639641889-1003) -> staff
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-1000) -> ntadmins

/etc/group
ntadmins:x:501:root

What am I missing? I've been looking at these pages to get this far:

http://ubuntuforums.org/showthread.php?t=624901
the above link references:
http://support.microsoft.com/kb/243330


The other problem I'm having which I think may be related is this error:

Quote:
[2009/10/16 09:24:14, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/10/16 09:24:18, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators


Everything appears to be working for people logging in and off, roaming profiles etc. These issues make me think its not quite right. And I did seem to rush the setup a little but now I'm stumped.

testparm runs cleanly too.

rupertwh 10-25-2009 01:05 PM
Quote:
Originally Posted by Lee_Ball (Post 3724617)
net groupmap list
Domain Users (S-1-5-21-1184068300-3041206941-2639641889-1003) -> staff
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-1000) -> ntadmins
These SIDs (or, more precisely the RIDs -1003 and -1000) don't look right, and also you are missing some standard groups.
This is how it looks here:
Code:
sudo net groupmap list
Domain Guests (S-1-5-21-2249633572-1156581989-1332253273-514) -> Domain Guests
Domain Computers (S-1-5-21-2249633572-1156581989-1332253273-515) -> machines
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
Domain Users (S-1-5-21-2249633572-1156581989-1332253273-513) -> domusers
Domain Admins (S-1-5-21-2249633572-1156581989-1332253273-512) -> domadmins
AFAIK those -5xx RIDs are 'well known' and have to be exactly those numbers. That is how the Windows workstation knows the groups' special roles (Admins, guests, etc.).

Lee_Ball 10-25-2009 04:36 PM
Isn't part of the RID the Domain ID? I realised I'd directly mapped the Domain Admin to root. I then remapped them to a much shorter ID, which I don't have to hand at the moment. Windows doesn't even find it when searching to add domain groups to local groups.

I'll list the ID's I mapped them to here tomorrow and try and remap them with yours but I think I might be getting it wrong.

rupertwh 10-25-2009 05:39 PM
The long part is the domain, the last part identifies an object in the domain (i.e. a group, a user, a machine or whatever)

Code:
'S-1-5-21-2249633572-1156581989-1332253273-512'
|----| |----------- Domain ID -----------| |-|
stuff                                      RID

|---------------------- SID -----------------|
When I wrote:
Quote:
..and have to be exactly those numbers
I meant *only* the last part, the RID.

See also: SID on Wikipedia

Lee_Ball 10-26-2009 10:49 AM
Then these are probably wrong then:

Code:
[root@server ~]# net groupmap list
Administrators (S-1-5-32-544) -> ntadmins
accounts (S-1-5-21-1184068300-3041206941-2639641889-1012) -> accounts
Users (S-1-5-32-545) -> staff

Added:

Got this now, will have to try it next time I'm on a client PC:
Code:
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-512) -> ntadmins


All times are GMT -5. The time now is 06:01 AM.