[Samba] Domain Administrators Not Recognized in Samba3

Travis Groth lists at netfoo.org
Tue Apr 6 22:24:44 GMT 2004


Uh...yes?  root doesn't have a samba account.  'travis' is in the domain
admins group though, which is all you need to join a domain afaik.  Take
a look at the ldap chunks and 'net groupmap list' output.  Its either
something really stupid or i've uncovered a bug...according to all the
documentation I've seen and examples i've followed, I haven't missed
anything.

--Travis




On Mon, 2004-04-05 at 02:02, Ron Dhillon wrote:
> Travis,
> 
> Are you trying to join the domain with this account that is part of the 
> Domain Administrators group?  By design, Samba only allows the root 
> account to join computers to the domain.  If you are using the usermap 
> function in your smb.conf file, the you can use any name that is aliased 
> to the root account.
> 
> Ron
> 
> Travis Groth wrote:
> 
> >Hi,
> >
> >I've been struggling with this for a while now, and i can't figure out
> >whats missing.  I have a valid user, who is also a member of the "Domain
> >Admins" group.  I can login with smbclient just fine, but administrative
> >rights aren't recognized when i try to join the domain.    Group is
> >mapped to the proper SID and a matching POSIX group (just in case). 
> >Backend is ldapsam.  Here are the relevent chunks from ldap:
> >
> >dn: sambaDomainName=**********,dc=*****,dc=***
> >sambaDomainName: **********
> >sambaSID: S-1-5-21-2608521594-2523984132-290594028
> >sambaAlgorithmicRidBase: 1000
> >objectClass: sambaDomain
> >
> >dn: cn=Domain Admins,ou=groups,dc=******,dc=***
> >objectClass: posixGroup
> >objectClass: sambaGroupMapping
> >cn: Domain Admins
> >gidNumber: 1003
> >sambaSID: S-1-5-21-2608521594-2523984132-290594028-512
> >sambaGroupType: 2
> >memberUid: travis
> >
> >dn: uid=travis,ou=users,dc=******,dc=***
> >objectClass: top
> >objectClass: inetOrgPerson
> >objectClass: posixAccount
> >objectClass: shadowAccount
> >objectClass: sambaSAMAccount
> >cn: travis
> >sn: travis
> >uid: travis
> >uidNumber: 1002
> >gidNumber: 1003
> >homeDirectory: /home/travis
> >loginShell: /bin/bash
> >gecos: System User
> >description: System User
> >sambaLogonTime: 0
> >sambaLogoffTime: 2147483647
> >sambaKickoffTime: 2147483647
> >sambaPwdCanChange: 0
> >sambaPwdMustChange: 2147483647
> >displayName: System User
> >sambaAcctFlags: [UX]
> >sambaSID: S-1-5-21-2608521594-2523984132-290594028-3004
> >sambaPrimaryGroupSID: S-1-5-21-2608521594-2523984132-290594028-512
> >sambaHomeDrive: H:
> >sambaLogonScript: travis.cmd
> >sambaLMPassword: ********************************
> >sambaPwdLastSet: 1081021518
> >sambaNTPassword: ********************************
> >
> >------------------------
> >
> >output of 'net groupmap list':
> >
> >Domain Users (S-1-5-21-2608521594-2523984132-290594028-513) -> Domain
> >Users
> >Domain Admins (S-1-5-21-2608521594-2523984132-290594028-512) -> Domain
> >Admins
> >Domain Guests (S-1-5-21-2608521594-2523984132-290594028-514) -> Domain
> >Guests
> >
> >------------------------
> >
> >output of 'net join -d 2 -U travis *******':
> >
> >[2004/04/03 15:26:50, 0] param/loadparm.c:map_parameter(2418)
> >  Unknown parameter encountered: "domain admin group"
> >[2004/04/03 15:26:50, 0] param/loadparm.c:lp_do_parameter(3056)
> >  Ignoring unknown parameter "domain admin group"
> >[2004/04/03 15:26:50, 2] lib/interface.c:add_interface(79)
> >  added interface ip=192.168.0.4 bcast=192.168.0.255 nmask=255.255.255.0
> >travis password:
> >[2004/04/03 15:26:52, 2] libsmb/namequery.c:name_query(484)
> >  Got a positive name query response from 127.0.0.1 ( 192.168.0.4 )
> >[2004/04/03 15:26:52, 1] utils/net_ads.c:ads_startup(181)
> >  ads_connect: Connection refused
> >[2004/04/03 15:26:52, 2] libsmb/namequery.c:name_query(484)
> >  Got a positive name query response from 127.0.0.1 ( 192.168.0.4 )
> >[2004/04/03 15:26:52, 1] utils/net_rpc.c:run_rpc_command(138)
> >  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> >Create of workstation account failed
> >User specified does not have administrator privileges
> >Unable to join domain ************.
> >[2004/04/03 15:26:53, 2] utils/net.c:main(767)
> >  return code = 1
> >
> >------------------------
> >smb.conf:
> >
> >passdb backend = ldapsam:ldap://**********
> >ldap suffix = dc=*******,dc=***
> >ldap machine suffix = ou=computers
> >ldap user suffix = ou=users
> >ldap admin dn = "cn=admin,dc=netfoo,dc=org"
> >ldap ssl = no
> >
> >ldap delete dn = no
> >                                                                                                                              workgroup = **********
> >netbios name = *******
> >comment = ldap samba test server
> >security = user
> >null passwords = yes
> >encrypt passwords = yes
> >                                                                                                         domain master = yes
> >domain logons = yes
> >preferred master = yes
> >os level = 255
> >                                                                                                                              
> >wins support = yes
> >                                                                                                                              
> >public = No
> >browseable = yes
> >writable = yes
> >
> >------------------------
> >
> >
> >If anyone sees what I'm missing, it would be greatly appreciated.
> >
> >Thanks
> >
> >--Travis Groth
> >
> >  
> >
> 
> 



More information about the samba mailing list