[Samba] net groupmap / domain admins problem - Amazon prize
Andrew Judge
ajudge at grovenetworks.com
Thu Jan 8 14:06:14 GMT 2004
Okay, I did all the below successfully. I actually had the old SID from the
other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the
NTUSER.DAT files
Still no luck with the admin rights. It will log into the domain and can
see the domain groups and I can add them to local groups. It even uses the
netlogon scripts. Do you need more info? I think we are close though.
Andy
-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org]
Sent: Wednesday, January 07, 2004 11:42 PM
To: Andrew Judge
Cc: samba at lists.samba.org
Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize
1. Stop Samba
2. Delete the group_mapping.tdb file.
3. Restart Samba
- the default Domain Groups will automatically be created if you
are NOT using LDAP ldapsam.
4. Map your groups as follows:
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
Add any Domain Groups you may want. Do tie them to existing (manually
created UNIX groups) eg:
groupadd engineers
net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
groupadd ntadmins
net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
PS: If you have a problem with these commands email me, I'll help you.
5. Add all users who should have Domain Admin rights to the UNIX root
group in /etc/group, like this:
root:0::jht,jimbo,jack,jill
6. Add all users who should have Workstation Admin rights (Power Users) to
the UNIX ntadmins group in /etc/group, like this:
ntadmins:123::maryo,susant,billm
7. Verify that the groups are correctly mapped:
net groupmap list.
8. Now: On every windows client machine add:
a) Domain Admins to the Local Administrators Group
b) Domain Power Users to the Local Power Users Group
>
> Now... I migrated from 2.2.3a to the above and I have all the tdb and I
> cahnged the SID to the last PDC. Anyway, how would I get the right SID?
I
> have NTUSER.DAT files that I can run profiles against to read them. Would
> that help?
You can use the Samba-3.0.x tools 'profiles' to reset the SID in the
NTUSER.DAT files.
To obtain the domain SID just run:
net getlocalsid
>
> First one that can point me in the right direction to get this resolved -
> I'll buy them a amazon gift cert for $50. Beats going bald from pulling
out
> my hair.
It's a deal man!
- John T.
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list