LookupAccountSid and trust relationship

Armand Welsh armand at welshhome.org
Thu Dec 14 18:25:02 GMT 2000 

*This message was transferred with a trial version of CommuniGate(tm) Pro*
I have similar problem.  What I noticed, (i think it's documented in a .txt
file somwhere in the CVS tree) is that the win2K system does not consider
Domain Admins to be a member of the Administrators group.  And It's not the
same group.  Administrators is the local system adminsitrators group.  Since
samba doesn't support trusts yet, you can not add the Domain Admins group,
or the domain user, to the administrators group on your win2k system; this
function requires trusts to communicate the exchange of rights/perms).

Can anyone confirm or deny this?

What I am going to try, is to see if I can generate a new group
(Administrators) for the domain, witch is inherently a member of the
Administrators group on the machine, while the machine is participating in
the domain.  Though I still don't think it would work, since the trust
relationships can't exist yet.

Any word on when this will be working?  Should I try samba-tng instead for
this support?

Armand Welsh

----- Original Message -----
From: "Torsten Curdt" <tcurdt at dff.st>
To: <samba-ntdom at lists.samba.org>
Sent: Thursday, December 14, 2000 12:40 AM
Subject: LookupAccountSid and trust relationship


> *This message was transferred with a trial version of CommuniGate(tm) Pro*
> Something seems to be wrong with our/the W2k<->Samba 2.2.0 CVS
> trust relationsship!
>
> 1. Our domain admins has almost no rights to do anything!
> 2. I cannot grant rights to the "domain users" group
>    (how is the domain users group defined?)
>
> I'm somehow lost but tried to track this down:
>
> In our smb.conf we have "domain admin users = root"
> and no "domain admin group"
>
> I now logged in as DFF\root (=domain admin) and executed
> "gpresult" from the W2k resource kit. This is what I get:
>
> ###############################################################
>   User Group Policy results for:
>   DFF\root
>   Domain Name:          DFF
>   Domain Type:          Windows NT v4
>   Roaming profile:      \\mogh\profiles\root
>   Local profile:        C:\Dokumente und Einstellungen\root.DFF
>   The user is a member of the following security groups:
> LookupAccountSid failed with 1789.
>         \Jeder
>         VORDEFINIERT\Benutzer
> LookupAccountSid failed with 1789.
>         \LOKAL
>         NT-AUTORIT-T\INTERAKTIV
>         NT-AUTORIT-T\Authentifizierte Benutzer
> ###############################################################
> Last time Group Policy was applied: Mittwoch, 13. Dezember 2000 at
15:33:09
> ###############################################################
>   Computer Group Policy results for:
>   DFF\SHODAN$
>   Domain Name:          DFF
>   Domain Type:          Windows NT v4
>   The computer is a member of the following security groups:
>         VORDEFINIERT\Administratoren
>         \Jeder
>         NT-AUTORIT-T\Authentifizierte Benutzer
> ###############################################################
>
> Seems like the machine is fully accepted but not the user
> so gets only really limited access.
>
> Can someone with more insight comment on this, please ;-)
> --
> Torsten
>
>

More information about the samba-ntdom mailing list