[Samba-it] privilegi di amministratore nel dominio
Daniele Palumbo
daniele at retaggio.net
Thu Sep 11 08:43:51 MDT 2008
On Wednesday 10 September 2008 09:36:45 Marco Gaiarin wrote:
> > dall'utente Administrator (alias dell'utente root) del dominio CEM-IT non
> > riesco, in un pc ovviamente unito al domino CEM-IT ad avere privilegi di
> > amministratore.
>
> ..ma al di la dei privilegi, questo utente Administrator è parte del
> gruppo Domain Admins?
mi hai fatto accendere la lampadina:
aveva un SID 500 (amministratore) ma il RID non era quello di "Domain Admins".
procedura eseguita:
prima ho cancellato il gruppo Account Operators e Domain Admins, quindi li ho
ricreati invertendo i GID unix (linux per motori di ricerca).
poi ho cancellato e ricreato l'account samba per l'utente root, in modo da
assegnare SID 500 e RID 512.
ora funziona.
grazie mille!
d.
---
ecco la procedura completa:
srv01:~# pdbedit -L -v root
Unix username: root
NT username:
Account Flags: [UX ]
User SID: S-1-5-21-727981841-3274019053-3788340928-500
Primary Group SID: S-1-5-21-727981841-3274019053-3788340928-1001
Full Name: root
Home Directory: \\srv01\root
HomeDir Drive: U:
Logon Script: root.bat
Profile Path: \\srv01\profiles\root
Domain: CEM-IT
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Tue, 22 Jul 2008 09:56:15 CEST
Password can change: Tue, 22 Jul 2008 09:56:15 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
srv01:~# net groupmap list | grep
S-1-5-21-727981841-3274019053-3788340928-1001
Account Operators (S-1-5-21-727981841-3274019053-3788340928-1001) -> root
srv01:~# net groupmap delete ntgroup="Domain Admins"
Sucessfully removed Domain Admins from the mapping db
srv01:~# net groupmap delete ntgroup="Account Operators"
Sucessfully removed Account Operators from the mapping db
srv01:~# net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512
type=d
Successfully added group Domain Admins to the mapping db as a domain group
srv01:~# net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=1001
type=d
Successfully added group Domain Admins to the mapping db as a domain group
srv01:~# net groupmap list
Print Operators (S-1-5-21-727981841-3274019053-3788340928-1013) -> lp
Domain Admins (S-1-5-21-727981841-3274019053-3788340928-512) -> root
Magazzino (S-1-5-21-727981841-3274019053-3788340928-1025) -> magazzino
Replicators (S-1-5-21-727981841-3274019053-3788340928-1015) -> daemon
Domain Users (S-1-5-21-727981841-3274019053-3788340928-513) -> users
Domain Guests (S-1-5-21-727981841-3274019053-3788340928-1007) -> nogroup
conscem (S-1-5-21-727981841-3274019053-3788340928-1065) -> constec
Acquisti (S-1-5-21-727981841-3274019053-3788340928-1027) -> acquisti
Commerciale (S-1-5-21-727981841-3274019053-3788340928-1019) -> commerciale
Amministrazione (S-1-5-21-727981841-3274019053-3788340928-1017) ->
amministrazione
Domain Users (S-1-5-21-727981841-3274019053-3788340928-1009) -> ntuser
Produzione (S-1-5-21-727981841-3274019053-3788340928-1029) -> produzione
Qualita (S-1-5-21-727981841-3274019053-3788340928-1052) -> qualita
Tecnico (S-1-5-21-727981841-3274019053-3788340928-1022) -> tecnico
Ced (S-1-5-21-727981841-3274019053-3788340928-1024) -> ced
Centralino (S-1-5-21-727981841-3274019053-3788340928-1028) -> centralino
Domain Admins (S-1-5-21-727981841-3274019053-3788340928-1001) -> ntadmin
Direzione (S-1-5-21-727981841-3274019053-3788340928-1021) -> direzione
Power Users (S-1-5-21-727981841-3274019053-3788340928-1011) -> sys
Backup Operators (S-1-5-21-727981841-3274019053-3788340928-1003) -> bin
Prototipi (S-1-5-21-727981841-3274019053-3788340928-1023) -> prototipi
srv01:~# pdbedit -x root
srv01:~# pdbedit -a -G S-1-5-21-727981841-3274019053-3788340928-512 -U
S-1-5-21-727981841-3274019053-3788340928-500 -u root
new password:
retype new password:
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-727981841-3274019053-3788340928-500
Primary Group SID: S-1-5-21-727981841-3274019053-3788340928-512
Full Name: root
Home Directory: \\srv01\root
HomeDir Drive: U:
Logon Script: root.bat
Profile Path: \\srv01\profiles\root
Domain: CEM-IT
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Thu, 11 Sep 2008 16:37:50 CEST
Password can change: Thu, 11 Sep 2008 16:37:50 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
srv01:~#
More information about the samba-it
mailing list