[Samba] domain admins not being applied to windows box

Conrad Wood cnw at lemon-computing.com
Tue Aug 3 10:09:23 GMT 2004


Hi,

I have recently upgaded from samba 2.2 to samba 3.0.
I used to have "domain admin group = @winadmin" in my smb.conf,
but I understand from the documentation that it is deprecated
in favour of 
"net groupmap set "Domain Admin" winadmin".

I would expect unix users who are members of the
unix group winadmin to become Domain Admins, then,
but they don't ?.

Do I understand this correctly that unix users
that are a member of the unix group winadmin
then will be "advertised" as being a member of
the NT Group "Domain Admins" to windows machines?
The windows box applies whatever permissions the
"Domain Admins" have for this box, by default "Administrator"?

My server is a debian gnu/linux box in a test environment.
My windows machine(s) are run within vmware, windows XP and 2k.

Details:

************************* snip **************
on the server the groupmapping is as follows:
root at smoke:~# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> winadmin
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> winadmin
****************************************************************

On windows it seems to accept that ish:
(intented to copy and paste from a msdos box but failed miserably
so here's the written out extract ;) )
c:\>net user cnw /DOMAIN
.... blurb....
Local Group Memberships   *dialout                 <- WTF???
Global Group memberships   *Domain Users *Domain Admins
The command completed sucessfully.
c:\>

*****************************************************************

Doesn't above mean I should be administrator (when logged in
as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
However, if I try to open the TCP/IP properties windows tells me
that I do not have access...

I am new to samba 3.0 and so far only read the publicly available
documentation, so I would like to double check whether I understand
this correctly.

Thank you,

Conrad





More information about the samba mailing list