win2k client and domain groups [Samba as PDC]

Ivan F. Poddubny ivan at
Mon Aug 12 14:53:01 GMT 2002

Hi there,

I'm running into interesting problem with win2k client system joining PDC on Samba.
PDC (called DOMAIN) configured with "domain admin group = @dadmins" and client is able 
to successfully join the domain.

Let assume that we're logging in to win2k called COMPUTER as member of the @dadmins. Now, 
lets open Computer Management -> Local Users and Groups -> Groups -> Administrators

The entries will be (this is an example):

Administrator (this is local account)

As far as I understand, record unix_group.[blah-blah] represents @dadmins and shows
absence of unix <-> windows groups translation (my guess is this is should be Domain Admins,
as a native Windows group).

However, if the second entry somehow removed (intruder, mistake, etc.) the user is unable to 
login: his username/password will be accepted and then he will have continuously restarted 
explorer. Moreover, if user removed from domain admins group, he is unable to login at all (I
assume that this is problem of permissions conflict -- he had full control and no he has limited 
control, but profile still keeps full control setting).

Here is another problem: if you're deleting this DOMAIN entry, you can't create it again: 
Windows doesn't know anything about unix_group.2147483404. It has Domain Admins, but if
you try to add it, client will respond with error -- "no such group".

Any comments/suggestion how to fix this?


More information about the samba-technical mailing list