[Samba] Re: What makes an account is DOMAIN ADMINISTRATOR?

paul paul at subsignal.org
Fri Jul 25 19:54:16 GMT 2003


Beast wrote:
> Friday, July 25, 2003, 3:58:57 PM, Beast wrote:
> 
> 
>>Friday, July 25, 2003, 2:58:54 PM, Alex wrote:
> 
> 
>>>Look into the command 'net groupmap', here is where it lies.
> 
> 
>>>for example net groupmap add unixgroup=domainadmins ntgroup="Domain Admins"
>>>type=domain
> 
> 
>>>this will ´map your local group domainadmins to Domain Admins, so that
>>>windows understands it.
>>>If you already have groupmaps set up but no groups map to them use net
>>>groupmap modify.
> 
> 
>>This is my initial map from fresh install :
>>[root at potato root]# net groupmap list
>>System Operators (S-1-5-32-549) -> -1
>>Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1
>>Replicators (S-1-5-32-552) -> -1
>>Guests (S-1-5-32-546) -> -1
>>Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1
>>Power Users (S-1-5-32-547) -> -1
>>Print Operators (S-1-5-32-550) -> -1
>>Administrators (S-1-5-32-544) -> -1
>>Account Operators (S-1-5-32-548) -> -1
>>Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1
>>Backup Operators (S-1-5-32-551) -> -1
>>Users (S-1-5-32-545) -> -1
> 
> 
>>I have root user in smbpasswd and not put his group to
>>"Administrators" or "Domain Admins" but why it able to add machine
>>trust from Win2k client? any explanation?
> 
> 
>>Tks.
> 
> 
> Another problem :(
> 
> I create ordinary unix user, put in smbadmin unix group.
> 
>   smbadmin:x:999:beast
> 
> I create machine trust account (in unix and smbpasswd)
>   [root at potato root]# pdbedit -L
>   beast:500:
>   trg02$:501:
> 
>   
> I map "smbadmin" to "Domain Admins" ntgroup :
> 
>   Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> smbadmin
> 
>>From Win2000, I can not joint this client to domain with user "beast", it says : Login
> failure: unknown username or bad password.
> (FYI, I can login using beast on Win98 client, so no pb in
> username/password)
> 
> So, what is exactly requirement for Domain admins?????
> 
hi all,

sorry that I can't help. I'd love to see a decent explanation here.
 From my experiments I can say that only a user with UID=0 can create 
machine trust accounts (i.e. add a client to the domain), is that correct?

Another question is, are there any benefits having the builtin groups 
setup on the DC with mapping to the "well known SIDs"?

I use LDAP as a backend and if my assumtions are correct, that would 
mean it is not possible to have one LDAP SAM for multiple samba server, 
because having a user in LDAP with uid=0 would conflict with the local 
root accounts.

greetings
     Paul









More information about the samba mailing list