[Samba] Re: domain admin issue
Sten Sletbak
Sten.Sletbak at adm.hio.no
Tue Aug 3 10:07:42 GMT 2004
In article <016101c4789e$f6019040$0b05a8c0 at trey>, Trey Nolen wrote:
>> Have you tried:
>>
>> net getlocalsid
>>
>> SID for domain DOMAIN is:
>> S-1-5-21-3876029557-4061927837-2224609541, ie. the SIDs should match.
>>
>> If they don't:
>>
>> 1. Stop samba
>> 2. Delete "group_mapping.tdb"
>> 3. Start samba
>> 4. net groupmap modify ntgroup="Domain Admins" unixgroup=domadm etc.
>>
>> This should make a fresh group_mapping.tdb with correct SIDs.
>>
>
>
> Thanks for the reply. Unfortunately (I guess), they do already match:
> server:~# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> domadm
> Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm
> Account Operators (S-1-5-32-548) -> -1
> Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> server:~# net getlocalsid
> SID for domain SERVER is: S-1-5-21-3876029557-4061927837-2224609541
>
>
> It seems like this *SHOULD* be working. Could this be a bug with this
> version? I'll be glad to check anything else if there are other
> suggestions...
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1bKKG-3JE-47%40gated-at.bofh.it&rnum=1&prev=/groups%3Fq%3Dsamba%2Bdomain%2Badmins%2Bproblem%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch
Bottom line:
Stop samba, delete group_mapping.tdb *and* secrets.tdb, start samba.
Make sure you have a backup of secrets.tdb, at least on production servers.
The clients probably have to rejoin the domain after deleting secrets.tdb.
It's also possible that the tdb-files are in different directories if you are trying
out different versions/distributions of samba. XP-clients also cache the ten latest logins
by default to add to the confusion...
Other than that I have never had problems with the "Domain Admins"-stuff working on the client with any samba 3.0.x.
I have, however, seen very strange behavior on mapped shares after samba 3.0.2 when login on with a "Domain Admins" user
on XP. I can map the share, but get "access denied" errors when trying to browse or doing "h:" on the command line. Removing the
user from the "domadm" group solves this.
Latest setup on the test server:
Compiled and installed the samba-latest.tar.gz (samba-2.0.5);
#configure, make , make install
smb.conf
[global]
workgroup = JDHTEST
log file = /var/log/samba/%m.log
os level = 100
preferred master = True
dns proxy = No
wins proxy = No
wins support = No
wins server = xxx.xxx.xxx.xxx
socket options = TCP_NODELAY
passdb backend = smbpasswd
domain master = Yes
domain logons = Yes
[homes]
read only = No
create mask = 0600
directory mask = 0700
browseable = No
#/usr/local/samba/bin/net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3103833849-850975221-657558829-512) -> domadm
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-3103833849-850975221-657558829-513) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Guests (S-1-5-21-3103833849-850975221-657558829-514) -> -1
Users (S-1-5-32-545) -> -1
Sten Sletbak
More information about the samba
mailing list