Samba Domain Admins and Group Mapping

Lee_Ball · 10-19-2009, 03:18 AM

Got an odd issue which I think it down to me making a mistake, anyway. Got Samba setup as a PDC and root is mapped to Administrator as normal.

Now, when I add a computer to the domain I normally have to then add the Domain Admins account or the Domain Administrator account itself to the Local Administrators group.

Thats fine, I'd prefer not to have to do this but its not such a hardship once its done. The problem I have is that the Domain Admins group appears to actually be mapped to my Administrator/Root account. So basically I type Domain Admins into the Add User to Group screen and once I've applied it, I can see on screen its actually resolved it to the root account.

I may have gotten my group mappings incorrect, here is what I think you may need:

net groupmap list
Domain Users (S-1-5-21-1184068300-3041206941-2639641889-1003) -> staff
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-1000) -> ntadmins

/etc/group
ntadmins:x:501:root

What am I missing? I've been looking at these pages to get this far:

http://ubuntuforums.org/showthread.php?t=624901
the above link references:
http://support.microsoft.com/kb/243330

The other problem I'm having which I think may be related is this error:

Quote:
[2009/10/16 09:24:14, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/10/16 09:24:18, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators

Everything appears to be working for people logging in and off, roaming profiles etc. These issues make me think its not quite right. And I did seem to rush the setup a little but now I'm stumped.

testparm runs cleanly too.

rupertwh · 10-25-2009, 01:05 PM

Quote:

Originally Posted by Lee_Ball

net groupmap list
Domain Users (S-1-5-21-1184068300-3041206941-2639641889-1003) -> staff
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-1000) -> ntadmins

These SIDs (or, more precisely the RIDs -1003 and -1000) don't look right, and also you are missing some standard groups.
This is how it looks here:

Code:

sudo net groupmap list
Domain Guests (S-1-5-21-2249633572-1156581989-1332253273-514) -> Domain Guests
Domain Computers (S-1-5-21-2249633572-1156581989-1332253273-515) -> machines
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
Domain Users (S-1-5-21-2249633572-1156581989-1332253273-513) -> domusers
Domain Admins (S-1-5-21-2249633572-1156581989-1332253273-512) -> domadmins

AFAIK those -5xx RIDs are 'well known' and have to be exactly those numbers. That is how the Windows workstation knows the groups' special roles (Admins, guests, etc.).

Lee_Ball · 10-25-2009, 04:36 PM

Isn't part of the RID the Domain ID? I realised I'd directly mapped the Domain Admin to root. I then remapped them to a much shorter ID, which I don't have to hand at the moment. Windows doesn't even find it when searching to add domain groups to local groups.

I'll list the ID's I mapped them to here tomorrow and try and remap them with yours but I think I might be getting it wrong.

rupertwh · 10-25-2009, 05:39 PM

The long part is the domain, the last part identifies an object in the domain (i.e. a group, a user, a machine or whatever)

Code:

'S-1-5-21-2249633572-1156581989-1332253273-512'
|----| |----------- Domain ID -----------| |-|
stuff                                      RID

|---------------------- SID -----------------|

When I wrote:

Quote:

..and have to be exactly those numbers

I meant *only* the last part, the RID.

See also: SID on Wikipedia

Lee_Ball · 10-26-2009, 10:49 AM

Then these are probably wrong then:

Code:

[root@server ~]# net groupmap list
Administrators (S-1-5-32-544) -> ntadmins
accounts (S-1-5-21-1184068300-3041206941-2639641889-1012) -> accounts
Users (S-1-5-32-545) -> staff

Added:

Got this now, will have to try it next time I'm on a client PC:

Code:

Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-512) -> ntadmins