[Samba] creating users from w2k with usrmgr and samba 3.0.1

Fri Jan 16 17:12:53 GMT 2004

On Fri, 16 Jan 2004, Alexander Goeres wrote:

> Hello everybody!
>
> New to Samba (and the list) I am trying to set up a Samba PDC for a small
> enterprise network on a Debian Woody (3.0) system with a vanilla 2.4.24
> kernel and the Debian package of Samba 3.0.1 and Swat (Debian Versions
> 3.0.1-2).
>
> I ran into various problems and could solve most of them during the past two
> weeks (hooray!). Most of the problems were related to congestions of user and

Congratualtions.

> program permissions. For example, it was impossible to change a user's
> password with the NT4 usrmgr tool from the w2k client. That always gave a
> "permission denied". Solution was: don't use the Debian tool "/usr/sbin/
> adduser" (obvioulsy a wrapper program to the standard "useradd")! Another
> problem was, that Swat always wipes out variables that are written like "%u".
> Obviously Swat deletes everything within "". Solution: don't use Swat (too
> bad)!

You are correct. That is one of the fine features of SWAT.

>
> One problem is left, and I don't know if it's related to M$ or to Samba. It's
> impossible to create a user from a w2k client with the NT4 tool usrmgr.exe. I

Not really. If your scripts (add user, add group, etc.) are correctly set
up then you can use this tool to manage users and groups without problem.

> can create a Samba user (Domain User) when such a user already exists on the
> Samba server as a Linux user. AFAIK the setting "add user script" in smb.conf
> should provide the facility to Samba to create a Linux user each time a
> Samba/Domain user is created. Is that a misconception?

You observation is the result of configuration problems.

>
> When looking at that NT4 tool usrmgr.exe, i find a menu item:
> Policies -> User Rights -> Show Advanced Rights: Add users to the domain:
> Samba
> Trying to give that right to the Domain Admin group is denied with the
> message:
> "You may not remove the Local Logon right from the Administrators local group.
> Doing so would disable .. bla bla ba".
> This message even appears when I just open the usrmgr and click on "OK"
> without having changed anything.

You must be logged in a the Domain Administrator, and unfortunately I have
discovered that there is no way around it, you must be logged on a the
user called "root".

>
> So I have several questions and I hope that someone on the list here might be
> able to answer or give some hints to a solution:
> 1. Is it generally possible to add a completely new user to the domain through
> this NT4 tool usrgmr.exe? A user who didn't exist as a unix-user on the samba
> PDC and so didn't exist in ths Samba User database?

Yes. It is possible. It does work.

> 2. If yes (and I hope it's possible) how do I give this "Advanced Right" to
> add a user to the Samba Domain to the Domain-Admin group? Do I have to do
> this within Samba (pdbedit) or is it only possible within M$?

You can make users a member of the Domain Admins group. At this time we do
not support secondary group membership correctly. This means that only the
user "root" can manage network accounts.

>
> Just some further config:
> M$ Administrator is Member of NT Domain Admin group, of Samba admin group and
> has UID 0 on the Linux system.

Unfortunately, this breaks. You have to use "root". Duplicate accounts
that share a UID break things badly. For example, having an account called
"root" and one called "Administrator", both with UID=0, break winbind
operation.

> NT Domain Admin group is mapped to the Samba admin group.

NT Domain Admins group needs to have GID=0.

>
> That mail is a little long but I hope the length doesn't discourage too many
> people from reading it. Possibly someone knows answers? Even to my questions?

Not at all. Thanks for sharing with us.

- John T.
-- 
John H Terpstra
Email: jht at samba.org