5

We have an ActiveDirectory where we get our users from. So authentication on the linux machine works over pam.

We managed this part to work so far, but we need all users to be part of the local group "users". This works as far as I understand with group mapping.

My SIDs are:

SID for local machine MYSERVER is: S-1-5-21-1487948860-3705201071-3703638889  
SID for domain MYDOMAIN is: S-1-5-21-1960408961-115176313-682003330

I created the group mapping with:

myserver:~# net groupmap add ntgroup="Domain Users" rid=513 unixgroup=users

The groupmapping looks like this:

myserver:~# net groupmap list -v

Domain Users
        SID       : S-1-5-21-1487948860-3705201071-3703638889-513
        Unix gid  : 100
        Unix group: users
        Group type: Domain Group
        Comment   : Domain Unix group
Administrators
        SID       : S-1-5-32-544
        Unix gid  : 10029
        Unix group: BUILTIN\administrators
        Group type: Local Group
        Comment   :
Users
        SID       : S-1-5-32-545
        Unix gid  : 12929
        Unix group: BUILTIN\users
        Group type: Local Group
        Comment   :

But when I login as an AD user I am not in the group users. All AD groups are shown correct and also the groups "BUILTIN\users" and "BUILTIN\administrator" are shown but no group "users"

I also tried

myserver:~# net groupmap delete ntgroup="Domain Users"
myserver:~# net groupmap delete ntgroup="Users"
myserver:~# net groupmap add ntgroup="Users" rid=545 unixgroup=users

But this seem to have no effect (smbd restart, winbindd restart executed). The user is still in the group "BUILTIN\users" and has no entry for "users"

I think I missed some important configuration step but don't know what this could be. Any help is highly appreciated!

We use samba version 3.6.3 on a SLES 11 kernel 3.0.76

==EDIT== 07.04.2016 15:34

I tried to map two non standard groups. AD group is grp_production, local linux group should be games

myserver:~# net groupmap add ntgroup="grp_production" rid=20443 unixgroup=games

Result is

myserver:~# net groupmap list -v
..
grp_production (S-1-5-21-1960408961-115176313-682003330-20443) -> games
..

Then I login as a user (member of the AD group grp_production) on the linux machine.

myserver:~# groups | grep games

No games group to find :-(

==EDIT 08.04.2016 07:39==
The only error I found in the logs was in /var/log/samba/log.winbindd-idmap

[2016/04/07 13:54:25.146170,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_Sid2Gid: struct wbint_Sid2Gid
          in: struct wbint_Sid2Gid
              dom_name                 : NULL
              sid                      : *
                  sid                      : S-1-5-21-1960408961-115176313-682003330-28693
[2016/04/07 13:54:25.146221, 10] winbindd/idmap_util.c:234(idmap_sid_to_gid)
  idmap_sid_to_gid: sid = [S-1-5-21-1960408961-115176313-682003330-28693], domain = ''
[2016/04/07 13:54:25.146247, 10] winbindd/idmap.c:507(idmap_backends_sid_to_unixid)
  idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-1960408961-115176313-682003330-28693]
[2016/04/07 13:54:25.146267, 10] winbindd/idmap.c:376(idmap_find_domain)
  idmap_find_domain called for domain ''
[2016/04/07 13:54:25.146290,  1] winbindd/idmap.c:209(idmap_init_domain)
  invalid range '100' specified for domain '*'
[2016/04/07 13:54:25.146308, 10] winbindd/idmap_util.c:260(idmap_sid_to_gid)
  idmap_backends_sid_to_unixid failed: NT_STATUS_NONE_MAPPED
[2016/04/07 13:54:25.146330, 10] lib/gencache.c:183(gencache_set_data_blob)
  Adding cache entry with key = IDMAP/SID2GID/S-1-5-21-1960408961-115176313-682003330-28693 and timeout = Thu Apr  7 13:56:25 2016

I 'grepped' all log for "games" and "grp_production" with no result.

Alexander Baltasar
  • 109
  • 1
  • 1
  • 6
  • Please provide some information for downvote reason. I put an immense effort into this question. If something is missing, please ask, I'll add it (as already did many times) to the question. – Alexander Baltasar Apr 13 '16 at 13:07

2 Answers2

1

They are well know sids for builtin groups - but I think they can be offset if there is a domain trust, that is where there are 2 or more BUILTIN/users

can you verify the the sid for the AD group in Powershell

Get-ADGroup -Identity users | select sid

see if there are any issues with listing users on the samba server

net usersidlist

one other thing is - is the users group already mapped to something?

net groupmap list

if the group is already mapped to something then you don't pass the rid value, rid is used to 'add' group, drop the rid if you are just 'modifying'

 net groupmap modify ntgroup='Domain Users' unixgroup='users'
Sum1sAdmin
  • 1,914
  • 1
  • 11
  • 20
  • All AD-Groups are imported and assigned to the right user under linux. All I need in addition is, that all "Domain Users" are in the linux local group "users". Your approach is exactly what I describe in my question. – Alexander Baltasar Apr 07 '16 at 12:02
  • I was pointing out that this command wont work net groupmap add ntgroup="Users" rid=545 unixgroup=users - if the unix group 'users' is mapped to something already - can you show the output of net groupmap list? – Sum1sAdmin Apr 07 '16 at 12:15
  • I posted already net groupmap list – Alexander Baltasar Apr 07 '16 at 12:33
  • it would be useful to see logs for samba and winbind, have you looked in the users group and have you tried mapping to a non native group such as 'test'? – Sum1sAdmin Apr 07 '16 at 12:55
  • I added the testcase with a non native group. Which parts in the logs of winbind and samba are relevant? These files are to big to post here... – Alexander Baltasar Apr 07 '16 at 14:23
  • what happenedd in the test case - were members of domain users made members of the test group? - I would configure the log level to 'debug' in both services and then look in the logs for errors. – Sum1sAdmin Apr 07 '16 at 15:42
0

Your net groupmap add command added the local machine's SID prefix to your RID, so it actually mapped the "Domain Users" group of your local machine which makes no sense.

Either tell the net command that your RID refers to the domain by specifying the appropriate type option:

net groupmap add ntgroup="Domain Users" rid=513 type=domain unixgroup=users

or specify the full SID:

net groupmap add ntgroup="Domain Users" sid=S-1-5-21-1960408961-115176313-513 unixgroup=users

You may have to delete the erroneous mapping first.

Tilman Schmidt
  • 3,778
  • 10
  • 23