[SOLVED] Re: Domain Admins group login problem
mag at fbab.net
Tue Oct 5 19:20:13 GMT 2004
Magnus Naeslund(t) wrote:
> I have created an user called "administrator" and put him in the "Domain
> Admins" group. But i still can't login to an workstation locked by a
> normal user, my understanding is that this should be possible.
> I would like to use this feature instead of remotely halting the machine
> via RPC, since i can't shut down any running applications properly that
> Does anyone have any hints on why this isn't working?
> What can i do to diagnose the problem?
I found the culprit.
It seems i have several settings of SIDs, somehow:
# net groupmap list | grep "Domain Admins"
Domain Admins (S-1-5-21-1139503581-2081492216-1016250002-512) -> -1
Domain Admins (S-1-5-21-3362401822-3553543735-2186158373-512) -> -1
Domain Admins (S-1-5-21-2791008503-3756625420-194637083-512) -> -1
Domain Admins (S-1-5-21-2446030268-2947044208-566748700-512) -> -1
When i modified the entry with the Samba PDC's SID to map to a unix
group, it worked. The problem was that i earlier only issued
nrgroup="Domain Admins" so it took the first one. Maybe the net command
should warn if there is several groups that are named the same name?
Will the multiple SIDs cause any problems?
Are they old SIDs from old installations, or are they supposed to be there?
And now i figure i should have probably mailed the samba general list
More information about the samba-technical