[SOLVED] Re: Domain Admins group login problem

Magnus Naeslund(t) mag at fbab.net
Tue Oct 5 19:20:13 GMT 2004

Magnus Naeslund(t) wrote:
> I have created an user called "administrator" and put him in the "Domain 
> Admins" group. But i still can't login to an workstation locked by a 
> normal user, my understanding is that this should be possible.
> I would like to use this feature instead of remotely halting the machine 
> via RPC, since i can't shut down any running applications properly that 
> way.
> Does anyone have any hints on why this isn't working?
> What can i do to diagnose the problem?
> Magnus

I found the culprit.
It seems i have several settings of SIDs, somehow:

# net groupmap list | grep "Domain Admins"
Domain Admins (S-1-5-21-1139503581-2081492216-1016250002-512) -> -1
Domain Admins (S-1-5-21-3362401822-3553543735-2186158373-512) -> -1
Domain Admins (S-1-5-21-2791008503-3756625420-194637083-512) -> -1
Domain Admins (S-1-5-21-2446030268-2947044208-566748700-512) -> -1

When i modified the entry with the Samba PDC's SID to map to a unix 
group, it worked. The problem was that i earlier only issued 
nrgroup="Domain Admins" so it took the first one. Maybe the net command 
should warn if there is several groups that are named the same name?

Will the multiple SIDs cause any problems?
Are they old SIDs from old installations, or are they supposed to be there?

And now i figure i should have probably mailed the samba general list 
instead :/


More information about the samba-technical mailing list