[Samba] Re: DID ANYBODY HERE...
paul k
paul at subsignal.org
Tue Aug 5 01:33:07 GMT 2003
Beast wrote:
> It was help me much, because i though the groupmap is just cosmetic on
> this release and still not usable :-)
> Glad to see that it works, it gives me confidence to try it more
> harder.
>
> May i know how you do it?
>
> This is my environment :
> RH9, samba 3.0b3, openldap 2.1.21
> All accounts are on ldap
>
> [root at potato root]# net groupmap list
> Domain Admins (S-1-5-21-2897595519-3619093474-3625347041-512) -> root
> [root at potato root]# getent passwd |grep administrator
> administrator:x:0:0:Administrator:/home/administrator:/sbin/nologin
> [root at potato root]# getent group |grep administrator
> administrator:x:0:
> [root at potato root]# pdbedit -Lv administrator
> Unix username: administrator
> NT username: administrator
> Account Flags: [U ]
> User SID: S-1-5-21-2897595519-3619093474-3625347041-1000
> Primary Group SID: S-1-5-21-2897595519-3619093474-3625347041-1001
> Full Name: Administrator
> Home Directory:
> HomeDir Drive:
> Logon Script: logon.bat
> Profile Path:
> Domain: DJKT
> Account desc:
> ...
>
> With admin uid 0, i can use admin to add machine trust, but when login w2k
> client can not recognized it as domain admin (ie. can not change IP
> address on client machine etc.)
Looks good so far, make sure your "Administrator" is a member of your
"Domain Admin" group. I'm not sure about how samba checks that, but
there are only two possible ways to do it I can think of right now.
1. Change the "Primary Group SID" of your Administator to the SID of the
"Domain Admins" global group.
2. Add something like "memberUID: Administrator" to the corresponding
UNIX group of your "Domain Admins" group.
good luck
Paul
More information about the samba
mailing list