[Samba] Re: samba 3 b3 and nt accounts

Failed Access mdonovan at edwtech.com
Tue Aug 5 11:33:10 GMT 2003


paul k wrote:
> Failed Access wrote:
>> Okidokey things are flying here
>> However
>> I am a domain admin and as such when I logon to a win 2k/xp system I 
>> should be able to access the system stuff (like changing the domain) 
>> as well as certify a new machine to the domain.
> Who granted you "domain admin" rights? SAMBA PDC? Win2k PDC?

Okay here goes
In samba my user "mdonovan" is able to join machines to the domain (just 
like the administrators in windows NT) all of the domain admins can do 
this (heres a pipe out of the groupmap list) less uninteresting stuff.

Domain Users (S-1-5-21-858401647-391996865-4547331-513) -> smbuser
Domain Guests (S-1-5-21-858401647-391996865-4547331-514) -> smbguests
Power Users (S-1-5-32-547) -> smbsys
Administrators (S-1-5-32-544) -> smbadmin
Domain Admins (S-1-5-21-858401647-391996865-4547331-512) -> smbadmin

Now then the unix user (mdonovan) is part of both smbadmin and smbsys
I've stared at the way the PDC does this junk and it looks like 
Administrators/Power Users are just local groups (how annoying) also the 
very short SID in linux points to this solution to I think.

Now then when you look at the (samba's) Domain Admins group in an NT 
group manager thing you can see mdonovan however when you look at 
Administrators (samba) you can't see squat. :c(

>> With the Samba user however I log onto the machine now and no longer 
>> have my admin rights to change settings :c(
> What do you mean with "samba user"?

Opps okidokey I change my machine to the test domain and login as 
mdonovan (my account imported from the NT PDC)

> Generally speaking, if you have a useracccount at the samba PDC, set up 
> groupmapping stuff correctly, added yourself to the "Domain 
> Administrators" Group you should be "Administrator" on a Win2k/XP box, 
> since the (samba)"Domain Adminitrators" Group is added to the local 
> "Administrators" Group.

Yeah thats how I understood it too.. :c(
However it looks like (in the old NT domain) the local machines looked 
to the "Local" group named Administrators on the PDC as opposed to 
mapping the NT "Domain Administrators" into the machines 
"Administrators" group. :c( darn m!crosoad and their cooky software!

> However you're still not allowed to join the 
> machine to the domain, for this your (unix) UID number have to be 0 
> (i.e. you have to be root).

Actually the joining a machine to the domain is the one thing I can do! 
:c/ odd! (I know in 2.2 only root could do this but this has changed in 
samba 3)

>  (I hate this quirk of xp/2k
>> it's almost enough reason to fire the darn thing out of a real big 
>> cannon but sadly windows is here to stay *gripe gripe moan moan*)
>> As the same user though I am able to log a machine into the domain... 
>> which means it does think I'm a domain admin
>> Anyways anyone got ideas on this issue?
>> Any more info I could post to help?
> I'm still somewhat unclear about your setup, specifically your users ;)

Okay the set up from the top (at the end? now that makes sense matthew 
*slaps self round the back of the head*
The current working domain is a NT4 PDC with two NT4 BDC's
The domain has a set of Global groups Domain Admins/Domain users/Domain 
It then has a group of "local" groups Administrators, Power Users, Users 
Windows workstations (win2k and xp) appears to map these "local" groups 
over it's own local groups (makes sense in an obcenly stupid way)
So now I in the NT domain being a member of the domain admins group and 
a member of the Administrators group can join a machine to the domain 
and I can edit the settings on the pc (ergo install software!)
All of our fileshares live on linux servers which share through samba.
Now as opposed to upgrading our nt boxes to 2000 server (my words at the 
mention being I'd rather cut off my own arms and legs and eat them raw!)

I now have a test samba 3 b3 server set up on a test box running deadrat 
7.3 I have migrated our users, machines and groups from the sam of the 
PDC into a tdbsam backend. Groups in linux are set up to include the 
correct users and such and test the domain under a diffrent name.
So all the users in the samba domain are identical (well as identical as 
it's possible to be) as those in the NT domain. This problem with groups 
is my only problem one and only remaining block to scrapping the NT 
boxes. I have plans for a work around but I hate having to do work arounds.

I think one of the problems is that when I vampire the SAM it sets all 
the NT groups to be "builtin" so I can't differntiate between local and 
global which is proberbly cheesing off the win 2k/xp workstations. *DOH*

Anyways have I made it any clearer coz I think I may have confused my 
self somewhere.

Matt D

> greets
>  Paul
>> Very irritating problem...
>> Matt D.

More information about the samba mailing list