paul k paul at subsignal.org
Tue Aug 5 01:33:07 GMT 2003

Beast wrote:

> It was help me much, because i though the groupmap is just cosmetic on
> this release and still not usable :-)
> Glad to see that it works, it gives me confidence to try it more
> harder.
> May i know how you do it?
> This is my environment :
> RH9, samba 3.0b3, openldap 2.1.21
> All accounts are on ldap
> [root at potato root]# net groupmap list
> Domain Admins (S-1-5-21-2897595519-3619093474-3625347041-512) -> root
> [root at potato root]# getent passwd |grep administrator
> administrator:x:0:0:Administrator:/home/administrator:/sbin/nologin
> [root at potato root]# getent group |grep administrator
> administrator:x:0:
> [root at potato root]# pdbedit -Lv administrator
> Unix username:        administrator
> NT username:          administrator
> Account Flags:        [U          ]
> User SID:             S-1-5-21-2897595519-3619093474-3625347041-1000
> Primary Group SID:    S-1-5-21-2897595519-3619093474-3625347041-1001
> Full Name:            Administrator
> Home Directory:
> HomeDir Drive:
> Logon Script:         logon.bat
> Profile Path:
> Domain:               DJKT
> Account desc:
> ...
> With admin uid 0, i can use admin to add machine trust, but when login w2k
> client can not recognized it as domain admin (ie. can not change IP
> address on client machine etc.)
Looks good so far, make sure your "Administrator" is a member of your 
"Domain Admin" group. I'm not sure about how samba checks that, but 
there are only two possible ways to do it I can think of right now.

1. Change the "Primary Group SID" of your Administator to the SID of the 
"Domain Admins" global group.

2. Add something like "memberUID: Administrator" to the corresponding 
UNIX group of your "Domain Admins" group.

good luck

More information about the samba mailing list