[Samba] Re: domain admin issue

Sten Sletbak Sten.Sletbak at adm.hio.no
Mon Aug 2 12:35:15 GMT 2004


In article <003901c47646$ca93f920$0b05a8c0 at trey>, Trey Nolen wrote:
> I have a new Debian testing machine running the Debian Samba 3.0.5.
> Everything seems OK except that I cannot get users to have domain admin
> rights.  I have Windows XP workstations. The workstations join and log
> onto the domain fine.
> 
> A "net groupmap list" yields:
> 
> server:/home/tnolen# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> domadm
> Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm
> Account Operators (S-1-5-32-548) -> -1
> Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> 
> My user, for example, is in the domadm group:
> server:/home/tnolen# groups tnolen
> tnolen : users domadm
> 
> I have tried several combinations of group mappings but all yield the
> same result. Basically, the user is just a regular user.
>

Have you tried:

net getlocalsid

SID for domain DOMAIN is: S-1-5-21-3876029557-4061927837-2224609541, ie. the SIDs should match.

If they don't:

1. Stop samba
2. Delete "group_mapping.tdb"
3. Start samba
4. net groupmap modify ntgroup="Domain Admins" unixgroup=domadm etc.

This should make a fresh group_mapping.tdb with correct SIDs.

Hope this helps.

Regards,

Sten Sletbak
Oslo University College




More information about the samba mailing list