[Samba] Cannot get DOMAIN ADMINS to work *SOLVED*

[Heinrich Rebehn]

Ryan Novosielski wrote:
> FWIW, I believe you'll be experiencing problems with this part of your 
> setup:
> 
>> Administrators (S-1-5-32-544) -> ntadmin
>> Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin
> 
> 
> I don't believe that is legal. Or perhaps it is only illegal if ntadmin 
> is someone's primary group, not secondary. I just fought with this one 
> myself.
> 
> Does anyone have a good resource on this?

ntadmin is one of my secondary groups. Anyway, it now works for me. I 
had to stop samba, delete secrets.tdb and groupmappings.tdb and restart 
samba, according to:
http://lists.samba.org/archive/samba/2004-August/090343.html

> 
> ---- _  _ _  _ ___  _  _  _
> |Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
> |$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
> \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
> 
> On Fri, 10 Dec 2004, Heinrich Rebehn wrote:
> 
>> Hi list,
>>
>> After reading a lot in the mailing list and the official Samba 3 
>> howto, i am still unable to give domain admin rights to a user, so 
>> that he gets admin rights on all workstations in the domain.
>>
>> Here is what i have:
>>
>> - Samba 3.08 PDC, config:
>>
>> [global]
>>   workgroup = ANT
>>   netbios name = ANTSRV
>>   netbios aliases       = RUN KITS HOMES LIB PRINTERS
>>   server string = ANT Samba Server %v
>>
>>   printcap name = /etc/samba/smbprintcap
>>   load printers = yes
>>   printing = lprng
>>   printer admin = @adm
>>
>>   log file = /var/log/samba/log.%m
>>   max log size = 50
>>
>>   map to guest = bad user
>>   security = user
>>   encrypt passwords = yes
>>   smb passwd file = /etc/samba/private/smbpasswd
>>
>>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>   local master = yes
>>   os level = 33
>>   domain master = yes
>>   preferred master = yes
>>   domain logons = yes
>>   logon path = \\%L\Profiles\%U
>>
>> <shares removed>
>>
>> - Client: Vanilla Windows XP professional, SP2, domain member, no 
>> special registry settings
>>
>> - Groups:
>>
>> root at antsrv2 [~] # net groupmap list
>> System Operators (S-1-5-32-549) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Administrators (S-1-5-32-544) -> ntadmin
>> Account Operators (S-1-5-32-548) -> -1
>> Domain Users (S-1-5-21-4008939791-1949703945-886196202-513) -> wiss
>> Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin
>> Backup Operators (S-1-5-32-551) -> -1
>> Domain Guests (S-1-5-21-4008939791-1949703945-886196202-514) -> nogroup
>> Users (S-1-5-32-545) -> wiss
>>
>> root at antsrv2 [~] # getent group ntadmin
>> ntadmin:x:1060:rebehn
>>
>> This should be enough to give user rebehn admin rights on all 
>> workstaions in the domain, right?
>>
>> But it does not work. When i try to partition disks on a workstation, 
>> i get a message saying that i do not have the nessecary rights.
>>
>> Questions:
>> - Did i miss something obvious?
>> - How can i debug on server/client side ?
>>
>> Thanks for any help.
>>
>> PS: winbindd is not running. Do i need it?
>> -- 

-- 

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :            -3341