win2k client and domain groups [Samba as PDC]
Ivan F. Poddubny
ivan at inviosoftware.com
Mon Aug 12 14:53:01 GMT 2002
I'm running into interesting problem with win2k client system joining PDC on Samba.
PDC (called DOMAIN) configured with "domain admin group = @dadmins" and client is able
to successfully join the domain.
Let assume that we're logging in to win2k called COMPUTER as member of the @dadmins. Now,
lets open Computer Management -> Local Users and Groups -> Groups -> Administrators
The entries will be (this is an example):
Administrator (this is local account)
As far as I understand, record unix_group.[blah-blah] represents @dadmins and shows
absence of unix <-> windows groups translation (my guess is this is should be Domain Admins,
as a native Windows group).
However, if the second entry somehow removed (intruder, mistake, etc.) the user is unable to
login: his username/password will be accepted and then he will have continuously restarted
explorer. Moreover, if user removed from domain admins group, he is unable to login at all (I
assume that this is problem of permissions conflict -- he had full control and no he has limited
control, but profile still keeps full control setting).
Here is another problem: if you're deleting this DOMAIN entry, you can't create it again:
Windows doesn't know anything about unix_group.2147483404. It has Domain Admins, but if
you try to add it, client will respond with error -- "no such group".
Any comments/suggestion how to fix this?
More information about the samba-technical