[Samba-it] privilegi di amministratore nel dominio

Daniele Palumbo daniele at retaggio.net
Thu Sep 11 08:43:51 MDT 2008


On Wednesday 10 September 2008 09:36:45 Marco Gaiarin wrote:
> > dall'utente Administrator (alias dell'utente root) del dominio CEM-IT non
> > riesco, in un pc ovviamente unito al domino CEM-IT ad avere privilegi di
> > amministratore.
>
> ..ma al di la dei privilegi, questo utente Administrator è parte del
> gruppo Domain Admins?

mi hai fatto accendere la lampadina:
aveva un SID 500 (amministratore) ma il RID non era quello di "Domain Admins".

procedura eseguita:
prima ho cancellato il gruppo Account Operators e Domain Admins, quindi li ho 
ricreati invertendo i GID unix (linux per motori di ricerca).

poi ho cancellato e ricreato l'account samba per l'utente root, in modo da 
assegnare SID 500 e RID 512.

ora funziona.

grazie mille!
d.


---
ecco la procedura completa:

srv01:~# pdbedit -L -v root
Unix username:        root
NT username:
Account Flags:        [UX         ]
User SID:             S-1-5-21-727981841-3274019053-3788340928-500
Primary Group SID:    S-1-5-21-727981841-3274019053-3788340928-1001
Full Name:            root
Home Directory:       \\srv01\root
HomeDir Drive:        U:
Logon Script:         root.bat
Profile Path:         \\srv01\profiles\root
Domain:               CEM-IT
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Tue, 22 Jul 2008 09:56:15 CEST
Password can change:  Tue, 22 Jul 2008 09:56:15 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
srv01:~# net groupmap list | grep 
S-1-5-21-727981841-3274019053-3788340928-1001
Account Operators (S-1-5-21-727981841-3274019053-3788340928-1001) -> root
srv01:~# net groupmap delete ntgroup="Domain Admins"
Sucessfully removed Domain Admins from the mapping db
srv01:~# net groupmap delete ntgroup="Account Operators"
Sucessfully removed Account Operators from the mapping db
srv01:~# net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 
type=d
Successfully added group Domain Admins to the mapping db as a domain group
srv01:~# net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=1001 
type=d
Successfully added group Domain Admins to the mapping db as a domain group
srv01:~# net groupmap list
Print Operators (S-1-5-21-727981841-3274019053-3788340928-1013) -> lp
Domain Admins (S-1-5-21-727981841-3274019053-3788340928-512) -> root
Magazzino (S-1-5-21-727981841-3274019053-3788340928-1025) -> magazzino
Replicators (S-1-5-21-727981841-3274019053-3788340928-1015) -> daemon
Domain Users (S-1-5-21-727981841-3274019053-3788340928-513) -> users
Domain Guests (S-1-5-21-727981841-3274019053-3788340928-1007) -> nogroup
conscem (S-1-5-21-727981841-3274019053-3788340928-1065) -> constec
Acquisti (S-1-5-21-727981841-3274019053-3788340928-1027) -> acquisti
Commerciale (S-1-5-21-727981841-3274019053-3788340928-1019) -> commerciale
Amministrazione (S-1-5-21-727981841-3274019053-3788340928-1017) -> 
amministrazione
Domain Users (S-1-5-21-727981841-3274019053-3788340928-1009) -> ntuser
Produzione (S-1-5-21-727981841-3274019053-3788340928-1029) -> produzione
Qualita (S-1-5-21-727981841-3274019053-3788340928-1052) -> qualita
Tecnico (S-1-5-21-727981841-3274019053-3788340928-1022) -> tecnico
Ced (S-1-5-21-727981841-3274019053-3788340928-1024) -> ced
Centralino (S-1-5-21-727981841-3274019053-3788340928-1028) -> centralino
Domain Admins (S-1-5-21-727981841-3274019053-3788340928-1001) -> ntadmin
Direzione (S-1-5-21-727981841-3274019053-3788340928-1021) -> direzione
Power Users (S-1-5-21-727981841-3274019053-3788340928-1011) -> sys
Backup Operators (S-1-5-21-727981841-3274019053-3788340928-1003) -> bin
Prototipi (S-1-5-21-727981841-3274019053-3788340928-1023) -> prototipi
srv01:~# pdbedit -x root
srv01:~# pdbedit -a -G S-1-5-21-727981841-3274019053-3788340928-512 -U 
S-1-5-21-727981841-3274019053-3788340928-500 -u root
new password:
retype new password:
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-727981841-3274019053-3788340928-500
Primary Group SID:    S-1-5-21-727981841-3274019053-3788340928-512
Full Name:            root
Home Directory:       \\srv01\root
HomeDir Drive:        U:
Logon Script:         root.bat
Profile Path:         \\srv01\profiles\root
Domain:               CEM-IT
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Thu, 11 Sep 2008 16:37:50 CEST
Password can change:  Thu, 11 Sep 2008 16:37:50 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
srv01:~#



More information about the samba-it mailing list