[Samba] creating users from w2k with usrmgr and samba 3.0.1

Alexander Goeres agoeres at lieblinx.net
Fri Jan 16 10:41:22 GMT 2004

Hello everybody!

New to Samba (and the list) I am trying to set up a Samba PDC for a small 
enterprise network on a Debian Woody (3.0) system with a vanilla 2.4.24 
kernel and the Debian package of Samba 3.0.1 and Swat (Debian Versions 

I ran into various problems and could solve most of them during the past two 
weeks (hooray!). Most of the problems were related to congestions of user and 
program permissions. For example, it was impossible to change a user's 
password with the NT4 usrmgr tool from the w2k client. That always gave a 
"permission denied". Solution was: don't use the Debian tool "/usr/sbin/
adduser" (obvioulsy a wrapper program to the standard "useradd")! Another 
problem was, that Swat always wipes out variables that are written like "%u". 
Obviously Swat deletes everything within "". Solution: don't use Swat (too 

One problem is left, and I don't know if it's related to M$ or to Samba. It's 
impossible to create a user from a w2k client with the NT4 tool usrmgr.exe. I 
can create a Samba user (Domain User) when such a user already exists on the 
Samba server as a Linux user. AFAIK the setting "add user script" in smb.conf 
should provide the facility to Samba to create a Linux user each time a 
Samba/Domain user is created. Is that a misconception?

When looking at that NT4 tool usrmgr.exe, i find a menu item: 
Policies -> User Rights -> Show Advanced Rights: Add users to the domain: 
Trying to give that right to the Domain Admin group is denied with the 
"You may not remove the Local Logon right from the Administrators local group. 
Doing so would disable .. bla bla ba". 
This message even appears when I just open the usrmgr and click on "OK" 
without having changed anything.

So I have several questions and I hope that someone on the list here might be 
able to answer or give some hints to a solution:
1. Is it generally possible to add a completely new user to the domain through 
this NT4 tool usrgmr.exe? A user who didn't exist as a unix-user on the samba 
PDC and so didn't exist in ths Samba User database?
2. If yes (and I hope it's possible) how do I give this "Advanced Right" to 
add a user to the Samba Domain to the Domain-Admin group? Do I have to do 
this within Samba (pdbedit) or is it only possible within M$? 

Just some further config:
M$ Administrator is Member of NT Domain Admin group, of Samba admin group and 
has UID 0 on the Linux system.
NT Domain Admin group is mapped to the Samba admin group.

That mail is a little long but I hope the length doesn't discourage too many 
people from reading it. Possibly someone knows answers? Even to my questions?

Thank you in advance

agoeres _at_ lieblinx.net
tel.: +49 (0)30 / 61 20 26 87
fax: +49 (0)30 / 61 20 26 89
     we do software
a Marwood & Thiele GbR
reichenberger straße 125
10999 Berlin


More information about the samba mailing list