[Samba] Problem with "domain admin group"
Paul E Parsons
paul.parsons at dnit.co.uk
Sat Jul 19 21:06:25 GMT 2003
I'm pretty much a newbie myself, but I have just managed to set up a network
such that Samba is acting as a PDC. I'm using Mandrake 9.1 and Win2K. I have
some observations about what you've done which may help:
1. Your add user script isn't quite the one recommended in the O'Reilly
book. Mine is:
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
The differences aren't great. I note that its adding the group by number,
not name - but I guess this doesn't matter. Yours is probably OK.
2. I assume that you've successfully configured a DNS server in your domain?
I think this is a necessary pre-requisite. (I'd never done this before and
it seemed a bit of a black art, but I got there in the end.)
2. I think the order to do things in is:
(a) Use "smbpasswd -a root" to add the root user to samba. (This may need to
be the first user to be added in this way.) You should (for security
reasons) specify a different password from root's linux password. In your
case, I guess you may need to reveal this to your users if they are to add
their own workstations to the domain - which is a really good reason for
choosing something different from your real root password!
(b) Attempt to add the workstation into the domain. Whoever attempts to do
this needs to have administrator privileges on the Win2K m/c. Control
Panel/System/Network Identification/Properties. When it asks for a username
and password, give it "root" and the root password you gave to smbpasswd in
the previous step. Then cross your fingers and hope it works. If it's
working, it will probably take a while. (My understanding of what's going on
at this point is a guess, so if anybody wants to correct me, feel free... at
no point do you tell it a samba password for the machine, so I think the
Win2K m/c probably chooses one randomly, encrypts it and passes it to Samba
to remember. This allows Samba to authenticate communication from the Win2K
machine in the future. So, if you muck about the workstation's password on
the server, you're screwed.) There's no more to be done on the Workstation
(c) Once the m/c is in the domain, you just need to create users in Linux
(with useradd) and in Samba (with smbpasswd) and they are automatically
domain users which can login in any workstation in the domain, providing
you've done everything else in smb.conf that you need.
(d) I'm not sure if you understand what "domain admin group" means. It means
that once the workstation is in the domain, the users specified by that
option are domain administrators. i.e. if one of them logs in at a
workstation in the domain, Win2K is to give them administrator privileges.
I found that I got this working quite quickly once I got "named" to work and
bought the Using Samba book published by O'Reilly. It's authoritative and
clears up the ambiguities in the online documentation I was trying to use.
I also stopped using SWAT because I was never quite sure what it was up to.
Hope that helps. Feel free to email me at my home address address. Just
replace with words with the symbols: paulatpeparsonsdotcom
> -----Original Message-----
> From: Corey Hart [mailto:chart at acad.stedwards.edu]
> Sent: 18 July 2003 20:07
> To: 'samba at lists.samba.org'
> Subject: [Samba] Problem with "domain admin group"
> We are just now setting up all our machines in SAMBA. The
> problem is there are
> over 1000+ machines which are to many to enter by hand into
> /etc/passwd . I went
> and added every user account to a group in /etc/group and called it
> "tempadmin". In smb.conf I set
> domain admin group = @tempadmin
> But people who are trying to add their machines are getting
> access denied. The
> only account that can add machines to the domain is root. Since
> I know root can
> add machines I assume my add user script is running correctly.
> add user script = /usr/sbin/useradd -d /dev/null -g machines -c Machine -s
> /bin/false -M %u
> Any ideas?
More information about the samba