[Samba] NT Administrator account changes permissions when logging onto samba server

Michael J. Luevane mikel at quantecllc.com
Tue Oct 29 17:34:40 GMT 2002 

Answers below...

> -----Original Message-----
> From: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org]On
> Behalf Of Buchan Milne
> Sent: Tuesday, October 29, 2002 1:26 AM
> To: Michael J. Luevane
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] NT Administrator account changes permissions when
> logging onto samba server
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > Message: 7
> > From: "Michael J. Luevane" <mikel at quantecllc.com>
> > To: "Samba at Lists. Samba. Org" <samba at lists.samba.org>
> > Date: Mon, 28 Oct 2002 15:46:53 -0800
> > Subject: [Samba] NT Administrator account changes permissions when
> logging onto samba server
> >
> > Hello, all
> >
> > I have a problem with my administrator accounts on WinNT with Samba.
> >
> > When I log in locally as the Administrator, it works as
> expected - I *am*
> > the administrator for the machine.
> >
> > When I log into the domain as Administrator, it works as expected - I
> log in
> > as root.
>
> But do you have admin rights on the local machine? Ie, can you add users
> etc.?

I have admin rights on the local machine when I am NOT logged into the
domain. I do NOT have admin rights when I AM logged into the domain.

>
>
> >
> > The prolem comes when I try to do anything on the local machine as
> > Administrator (logged into the Samba server). The problem is that any NT
> > permissions that I've put onto the Administrator account are not there
> when
> > I'm logged in on the domain. When I go back to logging in locally,
> > permissions are all fine.
>
> You must apply permissions/rights/group memberships to the domain
> account you are going to use, when logged in with an account with local
> admin rights (local Administrator or Domain Admin).
>

I *did* apply the correct permissions to the local account (root,
administrator both) and they are applied correctly when I log in locally.
When I log into the domain, the permissions are gone and when I try to chane
the permissions I get an error - Incorrect Function.

> >
> > What I'm trying to do is to run Veritas' BackupExec on an NT
> server and be
> > able to backup files on the linux box (main server). When I try
> to run the
> > front end I get a permissions error - that the account must be an
> > administrator or a backup operator.
>
> When ou are running it as which user?

Any account that was given administrator priveleges locally - administrator,
root

> >
> > I go into the Administrator account (local) and set the backup account
> > to
> > Administrator *and* backup operator. Log back in. Locally, it's fine.
> >
> > Log into the domain - those permissions are not set, so I cannot run the
> > backup program.
>
> Local backup account?

Sorry - :) "I go into the Administrator account and give the account I want
to use to do backups with both administrator *and* backup operator rights.

>
> Could you post your smb.conf (or mail it to me privately), and if you
> are using something like 'username map = /etc/samba/smbusers', please
> include the username map file (/etc/samba/smbusers).
>
> I suspect that you haven't got root included in your 'domain admin group'.
>

# Samba config file created using SWAT
# from localhost.localdomain (127.0.0.1)
# Date: 2002/10/28 14:19:07

# Global parameters
[global]
	workgroup = QUANTEC2
	netbios name = QSERVER
	server string = Quantec Server running Samba Server %v
	encrypt passwords = Yes
	username map = /var/lib/samba/maps/user.map
	unix password sync = Yes
	log file = /var/log/samba/log.%m
	max log size = 50
	deadtime = 15
	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=4096 SO_SNDBUF=4096
	printcap name = lpstat
	domain admin group = root
	add user script = /usr/sbin/useradd  -d /dev/null -g 100 -s /bin/false -M
%u
	logon script = logon.bat
	logon path = \\%N\profiles\%u
	logon drive = Z:
	logon home = \\%N\homes\%u
	domain logons = Yes
	os level = 64
	preferred master = True
	domain master = True
	wins support = Yes
	winbind uid = 10000-20000
	winbind gid = 10000-20000
	winbind cache time = 30
	winbind use default domain = Yes
	hosts allow = 127. 10.
	printing = cups

[homes]
	comment = Home Directories
	path = /home/
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	guest ok = Yes
	printable = Yes
	print command = lpr-cups -P %p -o raw %s -r   # using client side printer
drivers.
	browseable = No

[print$]
	path = /var/lib/samba/printers
	write list = @adm root

[pdf-generator]
	comment = PDF Generator (only valid users)
	path = /var/tmp
	printable = Yes
	print command = /usr/share/samba/scripts/print-pdf %s ~%u \\\\\\\\%L\\\\%u
%m %I &

[public]
	comment = Public space with read-write access
	path = /mnt/common/home/local/samba-public
	read only = No

[Common files]
	comment = Quantec common files directory
	path = /mnt/common
	force group = Staff
	read only = No
	directory mask = 0777
	inherit permissions = Yes
	inherit acls = Yes
	vfs object = /usr/lib/samba/vfs/recycle.so
	vfs options = /etc/samba/recycle.conf

[Phaer850]
	comment = Tektronix Phaser 850DP color printer
	path = /tmp
	printable = Yes

[netlogon]
	comment = NT's netlogon share - where the logon.bat file lives
	path = /var/lib/samba/netlogon
	write list = root ntadmin
	browseable = No

[profiles]
	comment = Path to user profiles
	path = /var/lib/samba/profiles
	read only = No
	create mask = 0600
	directory mask = 0700

More information about the samba mailing list