[Samba] Domain Administrators Not Recognized in Samba3

Travis Groth travis at netfoo.org
Sat Apr 3 20:32:26 GMT 2004


Hi,

I've been struggling with this for a while now, and i can't figure out
whats missing.  I have a valid user, who is also a member of the "Domain
Admins" group.  I can login with smbclient just fine, but administrative
rights aren't recognized when i try to join the domain.    Group is
mapped to the proper SID and a matching POSIX group (just in case). 
Backend is ldapsam.  Here are the relevent chunks from ldap:

dn: sambaDomainName=**********,dc=*****,dc=***
sambaDomainName: **********
sambaSID: S-1-5-21-2608521594-2523984132-290594028
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

dn: cn=Domain Admins,ou=groups,dc=******,dc=***
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 1003
sambaSID: S-1-5-21-2608521594-2523984132-290594028-512
sambaGroupType: 2
memberUid: travis

dn: uid=travis,ou=users,dc=******,dc=***
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: travis
sn: travis
uid: travis
uidNumber: 1002
gidNumber: 1003
homeDirectory: /home/travis
loginShell: /bin/bash
gecos: System User
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2608521594-2523984132-290594028-3004
sambaPrimaryGroupSID: S-1-5-21-2608521594-2523984132-290594028-512
sambaHomeDrive: H:
sambaLogonScript: travis.cmd
sambaLMPassword: ********************************
sambaPwdLastSet: 1081021518
sambaNTPassword: ********************************

------------------------

output of 'net groupmap list':

Domain Users (S-1-5-21-2608521594-2523984132-290594028-513) -> Domain
Users
Domain Admins (S-1-5-21-2608521594-2523984132-290594028-512) -> Domain
Admins
Domain Guests (S-1-5-21-2608521594-2523984132-290594028-514) -> Domain
Guests

------------------------

output of 'net join -d 2 -U travis *******':

[2004/04/03 15:26:50, 0] param/loadparm.c:map_parameter(2418)
  Unknown parameter encountered: "domain admin group"
[2004/04/03 15:26:50, 0] param/loadparm.c:lp_do_parameter(3056)
  Ignoring unknown parameter "domain admin group"
[2004/04/03 15:26:50, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.0.4 bcast=192.168.0.255 nmask=255.255.255.0
travis password:
[2004/04/03 15:26:52, 2] libsmb/namequery.c:name_query(484)
  Got a positive name query response from 127.0.0.1 ( 192.168.0.4 )
[2004/04/03 15:26:52, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Connection refused
[2004/04/03 15:26:52, 2] libsmb/namequery.c:name_query(484)
  Got a positive name query response from 127.0.0.1 ( 192.168.0.4 )
[2004/04/03 15:26:52, 1] utils/net_rpc.c:run_rpc_command(138)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain ************.
[2004/04/03 15:26:53, 2] utils/net.c:main(767)
  return code = 1

------------------------
smb.conf:

passdb backend = ldapsam:ldap://**********
ldap suffix = dc=*******,dc=***
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap admin dn = "cn=admin,dc=netfoo,dc=org"
ldap ssl = no

ldap delete dn = no
                                                                                                                              workgroup = **********
netbios name = *******
comment = ldap samba test server
security = user
null passwords = yes
encrypt passwords = yes
                                                                                                         domain master = yes
domain logons = yes
preferred master = yes
os level = 255
                                                                                                                              
wins support = yes
                                                                                                                              
public = No
browseable = yes
writable = yes

------------------------


If anyone sees what I'm missing, it would be greatly appreciated.

Thanks

--Travis Groth



More information about the samba mailing list