[Samba] samba-3.0.0-rc4 and Domain Admins

Fri Sep 19 10:30:13 GMT 2003

Hi!

I am experiencing problems adding a user (e.g. smbadmin) to the "Domain 
Admins" group on my samba-PDC using the ldapsam backend.

When I add "Domain Admins" as a supplementary group, the Windows 2000 
client doesn't treat smbadmin as an admin. However, using "Domain 
Admins" as the primary group (including setting sambaPrimaryGroupSID as 
"$SID-512") works as expected, the user has administrative rights. 
Additional information is attached below.

Is this a limitation or have I missed anything?

Thanks in advance,
--leo

P.S.:
showgrps from the Resource Kit shows "Domain Admins" regardless of 
wether "Domain Admins" is a primary or supplemental group.

# net groupmap list verbose ntgroup="Domain Admins"
Domain Admins
         SID       : S-1-5-21-181998944-1107627502-2274996074-512
         Unix group: domadmins
         Group type: Domain group
         Comment   :

-------------------- snipp! --------------------
This setup works (primary group):

# net user INFO smbadmin
root password:
Domain Admins
rk

# ldapsearch -x -h localhost -b 'dc=rk-klbg,dc=at' '(uid=smbadmin)'
[...]
# smbadmin, Users, rk-klbg, at
dn: uid=smbadmin,ou=Users,dc=rk-klbg,dc=at
sn: smbadmin
homeDirectory: /home/smbadmin
loginShell: /bin/bash
gecos: System User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: smbadmin
uidNumber: 1011
uid: smbadmin
description: System User
mail: Samba.Admin
sambaSID: S-1-5-21-181998944-1107627502-2274996074-3022
sambaAcctFlags: [UX]
sambaPwdCanChange: 2147483647
sambaLogonTime: 0
sambaNTPassword: 957191BA4FCD635074D6D691E76E5512
sambaPwdLastSet: 0
sambaLogoffTime: 2147483647
sambaLMPassword: 14AC900E269621D293E28745B8BF4BA6
sambaKickoffTime: 2147483647
gidNumber: 800
sambaPrimaryGroupSID: S-1-5-21-181998944-1107627502-2274996074-512

-------------------- snipp! --------------------
This setup doesn't work: ("Domain Admins" is a supplementary group)

net user INFO smbadmin
root password:
rk
Domain Admins

# ldapsearch -x -h localhost -b 'dc=rk-klbg,dc=at' '(uid=smbadmin)'
[...]
# smbadmin, Users, rk-klbg, at
dn: uid=smbadmin,ou=Users,dc=rk-klbg,dc=at
sn: smbadmin
homeDirectory: /home/smbadmin
loginShell: /bin/bash
gecos: System User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: smbadmin
uidNumber: 1011
uid: smbadmin
description: System User
mail: Samba.Admin
sambaSID: S-1-5-21-181998944-1107627502-2274996074-3022
sambaAcctFlags: [UX]
sambaPwdCanChange: 2147483647
sambaLogonTime: 0
sambaNTPassword: 957191BA4FCD635074D6D691E76E5512
sambaPwdLastSet: 0
sambaLogoffTime: 2147483647
sambaLMPassword: 14AC900E269621D293E28745B8BF4BA6
sambaKickoffTime: 2147483647
gidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-181998944-1107627502-2274996074-3001

-- 
-----------------------------------------------------------------------
Alexander (Leo) Bergolth                          leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste       http://leo.wu-wien.ac.at
                  Computers are like air conditioners -
            they stop working properly when you open Windows