[Samba] Re: What makes an account is DOMAIN ADMINISTRATOR?
paul
paul at subsignal.org
Fri Jul 25 19:54:16 GMT 2003
Beast wrote:
> Friday, July 25, 2003, 3:58:57 PM, Beast wrote:
>
>
>>Friday, July 25, 2003, 2:58:54 PM, Alex wrote:
>
>
>>>Look into the command 'net groupmap', here is where it lies.
>
>
>>>for example net groupmap add unixgroup=domainadmins ntgroup="Domain Admins"
>>>type=domain
>
>
>>>this will ´map your local group domainadmins to Domain Admins, so that
>>>windows understands it.
>>>If you already have groupmaps set up but no groups map to them use net
>>>groupmap modify.
>
>
>>This is my initial map from fresh install :
>>[root at potato root]# net groupmap list
>>System Operators (S-1-5-32-549) -> -1
>>Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1
>>Replicators (S-1-5-32-552) -> -1
>>Guests (S-1-5-32-546) -> -1
>>Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1
>>Power Users (S-1-5-32-547) -> -1
>>Print Operators (S-1-5-32-550) -> -1
>>Administrators (S-1-5-32-544) -> -1
>>Account Operators (S-1-5-32-548) -> -1
>>Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1
>>Backup Operators (S-1-5-32-551) -> -1
>>Users (S-1-5-32-545) -> -1
>
>
>>I have root user in smbpasswd and not put his group to
>>"Administrators" or "Domain Admins" but why it able to add machine
>>trust from Win2k client? any explanation?
>
>
>>Tks.
>
>
> Another problem :(
>
> I create ordinary unix user, put in smbadmin unix group.
>
> smbadmin:x:999:beast
>
> I create machine trust account (in unix and smbpasswd)
> [root at potato root]# pdbedit -L
> beast:500:
> trg02$:501:
>
>
> I map "smbadmin" to "Domain Admins" ntgroup :
>
> Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> smbadmin
>
>>From Win2000, I can not joint this client to domain with user "beast", it says : Login
> failure: unknown username or bad password.
> (FYI, I can login using beast on Win98 client, so no pb in
> username/password)
>
> So, what is exactly requirement for Domain admins?????
>
hi all,
sorry that I can't help. I'd love to see a decent explanation here.
From my experiments I can say that only a user with UID=0 can create
machine trust accounts (i.e. add a client to the domain), is that correct?
Another question is, are there any benefits having the builtin groups
setup on the DC with mapping to the "well known SIDs"?
I use LDAP as a backend and if my assumtions are correct, that would
mean it is not possible to have one LDAP SAM for multiple samba server,
because having a user in LDAP with uid=0 would conflict with the local
root accounts.
greetings
Paul
More information about the samba
mailing list