[Samba] group mappings pitfalls in samba 3

I have recently run across this problem and would like to warn people about it. I had an
already established domain running under Samba 2.2.8. I then upgraded to 3.0. I removed
the 'domain admin users = root' line from my smb.conf because certain tools complained
about it being there. After the upgrade, I followed the Samba 3 HOWTO docs on samba.org. I
created my domadm, domguests, and domusers groups. I used the command 'net groupmap add
ntgroup="Domain Admins" UNIXgroup=domadm' to map the groups together. This should have had
the same effect as having the 'domain admin users = root' line in 2.2.8, but whenever I
would logon to any computer in the domain with the user 'root', the user would be a
regular restricted user. I got output like this from 'net groupmap list':

System Operators (S-1-5-32-549) -> -1
Dispatch (S-1-5-21-124999916-2847287174-2328787173-1831) -> dispatch
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-124999916-2847287174-2328787173-1833) -> domusers
Domain Admins (S-1-5-21-124999916-2847287174-2328787173-1825) -> domadm
Domain Guests (S-1-5-21-124999916-2847287174-2328787173-1835) -> domguests
Mechanics (S-1-5-21-124999916-2847287174-2328787173-1827) -> mech
Instructors (S-1-5-21-124999916-2847287174-2328787173-1837) -> instructors
Accounting (S-1-5-21-124999916-2847287174-2328787173-1829) -> accounting
Domain Admins (S-1-5-21-124999916-2847287174-2328787173-512) -> -1
Domain Guests (S-1-5-21-124999916-2847287174-2328787173-514) -> -1
Domain Users (S-1-5-21-124999916-2847287174-2328787173-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Apparently, the default groups already existed, but were not used in the mapping. Instead,
new groups with the same name (but not the same GID) were created and mapped. So, my user
was in the Domain Admins group but not THE Domain Admins group. I'm not quite sure if this
is a flaw in the HOWTO or if this only happens when upgrading from 2.2.x. I was able to
fix this problem by deleting the group mappings and remapping with 'net groupmap modify
ntgroup="Domain Admins" UNIXgroup=domadm'. I just made these changes, but I am not on site
to test if they worked, but I have a hunch that they did.

--
Andrew Gaffney

--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba