[Samba] Fwd: most common way to implement 'net time' privileges
Witold Tosta
witold.tosta at neostrada.pl
Thu Aug 27 12:26:55 MDT 2009
Liutauras Adomaitis pisze:
> On Thu, Aug 27, 2009 at 3:14 PM, Witold Tosta<witold.tosta at neostrada.pl> wrote:
>> Liutauras Adomaitis pisze:
>>> On Wed, Aug 26, 2009 at 6:11 PM, Volker
>>> Lendecke<Volker.Lendecke at sernet.de> wrote:
>>>> On Wed, Aug 26, 2009 at 06:05:35PM +0300, Liutauras Adomaitis wrote:
>>>>> now size is few times larger. Try it now
>>>>> http://www.infosaitas.lt/logas.txt
>>>> Normally a "Device is not functioning" (or so) means an
>>>> NT_STATUS_UNSUCCESSFUL error message. I don't see any such
>>>> error message in the logs. When *exactly* did the error
>>>> happen when you took the log?
>>>>
>>> I looked through the logs again - no line with NT_STATUS_UNSUCCESSFUL.
>>>
>>> I found other thing (look below). It says
>>> ldapsam_getsampwsid: Unable to locate SID
>>> [S-1-5-21-1376040910-2644421868-2724539926-513]
>>> Could this be the problem?
>>>
>> I have the same issue on samba 3.4.0. Previously I thought all usrmgr.exe's
>> features does not work for Samba, but only for NT 4.0.
>>
>> The issue comes out when using the latest version 5.2.3790.1127 of
>> usrmgr.exe. The previous ones shipped with Windows NT 4.0 Server and Windows
>> 2000 Server (4.0.1371.1 and versions 5.0.2195.6601) work well, but in both
>> there are no changing time policy setting in the menu of policy --> user
>> rights settings group :-)
>>
>> Allowing Domain Users setting time for their machines via time change
>> settings (clock settings on right bottom corner of windows desktop) or via
>> logon.bat for example I resolved adding Domain User Group into the policy
>> called "Allow user time change" under secpol.msc utility from Windows XP
>> Professional workstation.
>
> How did you do that with logon.bat?
You probably got me wrong :-)
Using the logon.bat (common NT login script) I synchronize the client's
system time with domain time when client logs into the domain with the
following command: net time /domain:yourdomainname /set /yes
But only the domain administartors and as far as I know advanced users
are able to do this. When your user is an administartor or advanced user
that's enough, you don't have to change anything else. But if the user
is a domain user you have to add the ability of changing system time to
computer's local policy (secpol.msc) Otherwise login.bat processing will
stop and will inform that user doesn't have privilage to change local
system time. With such statement domain user cannot enter system's clock
and look at the calendar either, funny isn't it ?
My point was to ask the Honorable Group if there's a possibility to set
up a domain policy that allows to change user's system time for each
domain user globally, not only computer's local policy for each computer
separately.
Best regards.
Witek
More information about the samba
mailing list