I managed to join my Debian machine (Squeeze) to an existing Active Directory (MS Windows 2008 R2 Server). Everything works fine, I can login using accounts from the Active Directory (NTP, Kerberos, PAM, Samba, and Winbind are all configured and seem to be in good shape).
Question:
I want to map Active Directory groups to UNIX groups as follows
- Domain-Admins (RID 512) -> root (gid
0) - Domain-Users (RID 513) -> users
(gid 100)
I would like to achieve two goals:
-
Directories and files created by any user (including automatically created home folders) should have gid=100
At the moment gid=10000, the automatically gid taken by winbind, is taken)
-
Members of the Domain-Admins group should have root privilege after login (alternatively: be member of the wheel group)
At the moment, members of the Domain-Admins group are neither member of gid=0 nor the wheel group (it is not existing on my Debian installation, but that is another issue).
To achieve these goals, I tried to set the following mappings
- net groupmap add ntgroup="Domänen-Admins" unixgroup=root rid=512 type=domain
- net groupmap add ntgroup="Domänen-Benutzer" unixgroup=users rid=513 type=domain
This approach was unsuccessful, neither providing the SID instead of the RID did help. For each approach, I made sure that the winbind cache was empty (net cache flush) and both samba and winbind services were restarted.
Any recommendations?
Your support is highly appreciated! (and I know that there are some Debian gurus out there who have solved such a scenario 😉 )
Regards, Wolfram
In addition some information requested by user syneticon-dj:
SIDs are scambled
root@S15:~# net getdomainsid
SID for local machine S15 is: S-1-5-21-aaaaaaaaaa-bbbbbbbbbb-ccccccccc
SID for domain ITSL is: S-1-5-21-dddddddddd-eeeeeeeeee-ffffffffff
root@S15:~# net groupmap add ntgroup="Domänen-Admins" unixgroup=root rid=512 type=domain
Successfully added group Domänen-Admins to the mapping db as a domain group
root@S15:~# net groupmap add ntgroup="Domänen-Benutzer" unixgroup=users rid=513 type=domain
Successfully added group Domänen-Benutzer to the mapping db as a domain group
root@S15:~# net groupmap list
Domänen-Admins (S-1-5-21-aaaaaaaaaa-bbbbbbbbbb-ccccccccc-512) -> root
Domänen-Benutzer (S-1-5-21-aaaaaaaaaa-bbbbbbbbbb-ccccccccc-513) -> users
For me, it appears that the wrong group accounts are mapped. I mean the mapped SIDs correspond to the local machine SID instead of the domain SID. Anyway, it does not work, i.e. goal #1 is not achieved.
I have not found any option that enforces choosing the domain SID. Hence, I cleared the groupmap and added the mapping with the group SIDs directly as follows:
root@S15:~# net groupmap add ntgroup="Domänen-Benutzer" unixgroup=users sid="S-1-5-21-dddddddddd-eeeeeeeeee-ffffffffff-513" type=domain
Successfully added group Domänen-Benutzer to the mapping db as a domain group
root@S15:~# net groupmap list
Domänen-Benutzer (S-1-5-21-dddddddddd-eeeeeeeeee-ffffffffff-513) -> users
This approach does not work, either, i.e. goal #1 is not achieved.
As requested, here are the excerpts from smb.conf:
[global]
workgroup = ITSL
realm = itsl.local
security = ADS
# This machine is a member server, hence no authentication and we leave the following line commented
; domain logons = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
; winbind enum groups = yes
; winbind enum users = yes
winbind use default domain = yes
As requested, here are the excerpts from PAM config:
Debian Squeeze defaults, nothing changed by me.
root@S15:/etc/pam.d# grep 'winbind' *
common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
common-auth:auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
common-password:password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
common-session:session optional pam_winbind.so
common-session-noninteractive:session optional pam_winbind.so
Regards, Wolfram
Best Answer
You should not try to map the
uidto root, nor thegidthis way.If you to give the Administrators root privileges on the system, you could use sudo. You could use the Windows Group for granting the sudo privileges (Domain-Admins).