[Samba] Samba 4--are multiple domain administrators possible?

[Natxo Asenjo]

On Thu, Feb 5, 2009 at 1:13 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2009-02-01 at 19:50 -0600, kb9vqf at pearsoncomputing.net wrote:
>> I have a quick question for someone knowledgeable in Samba 4:
>> I recently set up a Samba 4 test server, utilizing the built-in LDAP
>> server, and joined an Windows XP client to it.  After logging in with the
>> precreated "administrator" account I then attempted to add another user
>> and grant that user domain administrator privileges by adding him to the
>> "Domain Admins" group.
>>
>> When I logged in under the new user, I was completely locked out of any
>> administrative tasks, even though that user was showing up under the
>> "Domain Admins" group.
>
> Which administrative tasks didn't work?

modifying any object in ADUC, for instance, The dstools do not work
either (both from a xp machine joined to the domain). If you run then
with runas domain\administrator then they work.

C:\>whoami
THUIS\testuser1

C:\>dsget user "cn=testuser1,ou=testou,dc=thuis,dc=lan" -memberof
"CN=Remote Desktop Users,CN=Builtin,DC=thuis,DC=lan"
"CN=tstnested,OU=testou,DC=thuis,DC=lan"
"CN=Domain Admins,CN=Users,DC=thuis,DC=lan"  <<<<<<---------------------
"CN=Domain Users,CN=Users,DC=thuis,DC=lan"

As you see this testuser is member of Domain Admins. But:

C:\>dsadd user "cn=testuser11,ou=testou,dc=thuis,dc=lan" -fn test -ln user11 -di
splay testuser11 -samid testuser11
dsadd failed:cn=testuser11,ou=testou,dc=thuis,dc=lan:Toegang geweigerd.
type dsadd /? for help.

'toegang geweigerd' is Dutch for 'permission denied'.

-- 
Groeten,
N.Asenjo