[Samba] Fwd: most common way to implement 'net time' privileges

Witold Tosta witold.tosta at neostrada.pl
Thu Aug 27 12:26:55 MDT 2009 

Liutauras Adomaitis pisze:
> On Thu, Aug 27, 2009 at 3:14 PM, Witold Tosta<witold.tosta at neostrada.pl> wrote:
>> Liutauras Adomaitis pisze:
>>> On Wed, Aug 26, 2009 at 6:11 PM, Volker
>>> Lendecke<Volker.Lendecke at sernet.de> wrote:
>>>> On Wed, Aug 26, 2009 at 06:05:35PM +0300, Liutauras Adomaitis wrote:
>>>>> now size is few times larger. Try it now
>>>>> http://www.infosaitas.lt/logas.txt
>>>> Normally a "Device is not functioning" (or so) means an
>>>> NT_STATUS_UNSUCCESSFUL error message. I don't see any such
>>>> error message in the logs. When *exactly* did the error
>>>> happen when you took the log?
>>>>
>>> I looked through the logs again - no line with NT_STATUS_UNSUCCESSFUL.
>>>
>>> I found other thing (look below). It says
>>> ldapsam_getsampwsid: Unable to locate SID
>>> [S-1-5-21-1376040910-2644421868-2724539926-513]
>>> Could this be the problem?
>>>
>> I have the same issue on samba 3.4.0. Previously I thought all usrmgr.exe's
>> features does not work for Samba, but only for NT 4.0.
>>
>> The issue comes out when using the latest version 5.2.3790.1127 of
>> usrmgr.exe. The previous ones shipped with Windows NT 4.0 Server and Windows
>> 2000 Server (4.0.1371.1 and versions 5.0.2195.6601) work well, but in both
>> there are no changing time policy setting in the menu of policy --> user
>> rights settings group :-)
>>
>> Allowing Domain Users setting time for their machines via time change
>> settings (clock settings on right bottom corner of windows desktop) or via
>> logon.bat for example I resolved adding Domain User Group into the policy
>> called "Allow user time change" under secpol.msc utility from Windows XP
>> Professional workstation.
> 
> How did you do that with logon.bat?

You probably got me wrong :-)
Using the logon.bat (common NT login script) I synchronize the client's 
system time with domain time when client logs into the domain with the 
following command: net time /domain:yourdomainname /set /yes

But only the domain administartors and as far as I know advanced users 
are able to do this. When your user is an administartor or advanced user 
  that's enough, you don't have to change anything else. But if the user 
is a domain user you have to add the ability of changing system time to 
computer's local policy (secpol.msc) Otherwise login.bat processing will 
stop and will inform that user doesn't have privilage to change local 
system time. With such statement domain user cannot enter system's clock 
and look at the calendar either, funny isn't it ?

My point was to ask the Honorable Group if there's a possibility to set 
up a domain policy that allows to change user's system time for each 
domain user globally, not only computer's local policy for each computer 
separately.

Best regards.
Witek

More information about the samba mailing list