[Samba] Samba 3 - domain admins (not root)?

Tue Mar 9 14:11:17 GMT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

edd payne írta:
| On Tuesday 09 Mar 2004 12:13 pm, Jonathan Baker-Bates TMS wrote:
|
|
|>>| I'm trying to work out how I can create domain administrators with
|>>
|>>Samba 3.
|>>
|>>| I currently have the following in smb.conf
|>>|
|>>|     domain admin group = @smbadmins
|>>|     domain admin users = root jbb
|>>
|>>You are wrong in Samba3 there is a complete group mapping posibility,
|>>not just the possibility of mapping domain admins, like in 2.2.x.
|>>So:
|>>first)  Remove that two lines from your smb.conf
|>>second) Depending on your passdb backend, there could be two cases:
|>>A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In
|>>this case samba populates its database with all the entries found on a
|>>Windows DC, you could see them with net groupmap list. You can (you need
|>>to do) modify this default group mappings with net groupmap modify
|>>ntgroup=... unixgroup=...
|>>B) passdb backend =ldapsam you need to add all the groupmaping by hand
|>>with net groupmap add sid=... unixgroup=... Remember: Domain Admins
|>>SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests
|>>SID=Domain SID-514
|>>
|>>Good Luck, and have a pleasant experience with Samba3, it is realy a big
|>>improvment since the 2.2 line, in many areas.
|>
|>Ah, thanks for putting me on the right track - I'm using smbpasswd (we've
|>only got about 10 users), and the Samba server *is* the DC, but I've found
|>some docs on the samba site so I'm reading them now :-)
|>
|>However, I still can't get my user "jbb" to be a domain admin. I'm mapping
|>the "smbadmins" group to the NT "Domain Admins" entity like this:
|>
|>net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins
|>
|>and it says it created the mapping successfully, but when I log onto the
|>domain with that account, it doesn't have admin rights. I can see the
|>mapping with:
|>
|># net groupmap list ntgroup="Domain Admins"
|>Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) ->
smbadmins
|>
|>and in /etc/group I have smbadmins:x:1004:jbb
|>
|>I'm not sure what I'm doing wrong.
|
|
| you need to use net groupmap modify rather than net groupmap add. the
domain
| admins group should have an SID (the S- number) ending in 512 if it is
the
| real "Domain Admins" group. delete the mapping you put in and then
repeat the
| net groupmap command but use:
|
| net groupmap modify ntgroup="Domain Admins" unixgroup=smbadmins
|
| Then when you do net groupmap list you should get:
|
| Domain Admins (S-1-5-21-3040818230-2349230895-2714603090-512) -> smbadmins
|
| and it should work
|
| you also need to "modify" groups such as Domain Users, Domain Guests,
Backup
| Operators etc.
|
| edd
|
Just as a completion I've cuted and pasted the most important parts of
my test systems (the production one is using ldap and has just Domain
Users, Domain Admins, Domain Guests, besides a lot of self created group
mappings, like students->students, and alike
net groupmap list's output:

System Operators (S-1-5-32-549) -> daemon
looser (S-1-5-21-4109351342-2997801466-301355879-2007) -> looser
Replicators (S-1-5-32-552) -> disk
Guests (S-1-5-32-546) -> nogroup
Power Users (S-1-5-32-547) -> wheel
Domain Users (S-1-5-21-4109351342-2997801466-301355879-513) -> users
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> root
Domain Admins (S-1-5-21-4109351342-2997801466-301355879-512) -> adm
Domain Guests (S-1-5-21-4109351342-2997801466-301355879-514) -> nogroup
Account Operators (S-1-5-32-548) -> adm
Backup Operators (S-1-5-32-551) -> daemon
Users (S-1-5-32-545) -> users

You can see, that there are two kind of groups:
local groups with SID=S-1-5-32-groupRID
and
domain groups with SID=DOMAINSID-groupRID
for having a correctly working Samba PDC you NEED to map the Domain
groups to existing UNIX groups, whoose members will become then Domain
Admins, Domain Users and Domain Guests, and whatever other groups you
would want to add to the group mapping.

Cheers,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFATdCF/PxuIn+i1pIRAn5OAJ0bfwiBp9hXJdPAfbXB8MCs7cIBGwCgom9a
lml2wZC0P+gs8rIyH1gDU9A=
=JO23
-----END PGP SIGNATURE-----