FINALLY ....[WAS Re: [Samba] Re: DID ANYBODY HERE...

jo at neolabs.be jo at neolabs.be
Tue Aug 5 12:18:25 GMT 2003 

Hi jo here again ( Mr. FINALLY ) 

I think indeed this also applies to me, if i do 'getent group' i get 

[root at client var]# tail -f  log.winbindd
[2003/08/05 11:48:14, 0] nsswitch/winbindd_group.c:winbindd_getgrent(640)
  could not lookup domain group Domain Admins
[2003/08/05 11:48:14, 0] nsswitch/winbindd_group.c:winbindd_getgrent(640)
  could not lookup domain group Domain Users

and

[root at client root]# winbindd -d 1 -i
winbindd version 2.2.8a started.
Copyright The Samba Team 2000-2001
Added domain MYGROUP (S-1-5-21-2381868111-1096633346-2653114510)
getting trusted domain list
could not lookup membership for group rid 512 in domain MYGROUP
could not lookup domain group Domain Admins
could not lookup membership for group rid 513 in domain MYGROUP
could not lookup domain group Domain Users

so I guess it is exactly what you describe... however I do not find
the pdbedit tool, I am using samba 2.2.8a maybe that's why? Where
are groups stored then? AFAIK pdbedit is a generic way to edit the SAM in 
samba 3.0 since there it can be in ldap, a file, ... but in
samba 2.2.8a should groups be in /etc/samba/smbpasswd file then? I
only have three users in there : root, jo and client$ machine account...
how come wbinfo -g finds the groups ?!?!?! Should I have
an account admininstrator in smbpasswd or can you also add machines
with root account? 

Thanks

Jo















On Tue, 5 Aug 2003 16:30:33 +0700 Beast wrote:

> Tuesday, August 5, 2003, 8:33:07 AM, paul wrote:
> 
> > 1. Change the "Primary Group SID" of your Administator to the SID of the
> > "Domain Admins" global group.
> 
> Well, to make it clear for everyone else, Requirements for domain
> administator is you MUST set its group RID to 512.
> No matter you have "Domain Admins" groupmapping or not.
> 
> To make user able to add machine to domain, (unix) uid and gid must be
> 0 no matter it belongs to nt domain admin or not at all.
> 
> This should be written in documentation, otherwise it will confuse
> anybody.
> 
> well, i spent a whole week fight with this problem, however it 'just'
> beta so it's my fault anyway to use beta sw.
> 
> However samba3 seems promissing, Tks samba team!
> 
> 
> > 2. Add something like "memberUID: Administrator" to the corresponding 
> > UNIX group of your "Domain Admins" group.
> 
> This will not work.
> "Domain Admins" group is still ok as long as you set GRID to 512.
> 
> 
> 
> --beast 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be

More information about the samba mailing list