Mixed profiles w/Samba-PDC

Gerald Carter cartegw at Eng.Auburn.EDU
Tue May 26 16:41:17 GMT 1998 

Pierre-Jules Tremblay wrote:
> 
> Okay, I figured out the problem (I think).  I believe the way Samba
> handles domain admin users is causing this (or maybe my understanding 
> is).

I should document this.  Has comes up several times.

> It turns out in my example that both users were listed in the "domain
> admin users" keyword.  I discovered that the profile list in the
> registry was being set wrong (see
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\ProfileList).  The key for both users A and B ended
> up being the same, i.e. S-1-5-21-123-456-789-123-500.  Now, 500 is the
> uid of user A on the samba server, but I also noticed that the last
> three digits of the local Administrator account are 500, is this a
> coincidence?

Nope.  When you set "domain admin users", the RID for each user is set
the well known ADMIN RID ( ie. 500 ) in the user info reply packet.

> Anyway, I simply removed user B from the domain admin users list and
> now the problem if fixed, i.e.  the registry key name for user B is
> now S-1-5-21-123-456-789-123-1514 (where 514 is the Unix uid of user
> B; what does the 1 stand for?). 

The RID is generated by adding 1000 to the unix UID.  This is the same
way that the posix subsystem handles it.


> I just wonder how come *all* users listed in the "domain admin users"
> are mapped to the same domain id, i.e. S-1-5-21-123-456-789-123-500
> and therefore all ending up with the same local profile location.  Is
> this the only way to "fool" NT into thinking this user is a domain
> admin?

Yup.

> If I change the domain ID now, won't this mean I'll have to have every
> machine rejoin the domain?  How critical is this?

You don't have to.  The latest code will generate the
private/MACHINE.SID file from the value of "domain sid".  After the file
is generated, the "domain sid" value from smb.conf is ignored.  And yes,
if you change the value of domain sid then all members will have to
rejoin the domain.

> > > #   logon path = \\%L\Profiles\%U
> > 
> > The default for logon path is \\%L\%U\profile.  See my previous post
> > about using the home directory for roaming profiles.
> 
> The above setup works well for me, for both Win95 and NT stations.
> Thanks for the info, though.

I know.  But be warned.  Strange things can happen.




j-
________________________________________________________________________
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at eng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-ntdom mailing list