[Samba] creating users from w2k with usrmgr and samba 3.0.1: Happy End!!

Alexander Goeres agoeres at lieblinx.net
Mon Jan 19 14:25:33 GMT 2004 

Am Freitag, 16. Januar 2004 18:12 schrieb John H Terpstra:
> Not really. If your scripts (add user, add group, etc.) are correctly set
> up then you can use this tool to manage users and groups without problem.

That is true! It works!

> You observation is the result of configuration problems.
> ...
> You must be logged in a the Domain Administrator, and unfortunately I have
> discovered that there is no way around it, you must be logged on a the
> user called "root".

For me it also works when the Domain Admin is "administrator"! 

> ...
> Unfortunately, this breaks. You have to use "root". Duplicate accounts
> that share a UID break things badly. For example, having an account called
> "root" and one called "Administrator", both with UID=0, break winbind
> operation.
> ...
> NT Domain Admins group needs to have GID=0.
> ...
> - John T.

My Samba-errors all came from messed up user to program rights.

Just a short description how my final config looks like:
Groupmapping:
Domain Admins -> root
Domain Users -> domuser (ad libitum)
Domain Guests -> nogroup

Administrative Samba-Users:
root, primary Linux-Group: root
administrator, primary Linux-Group: root

Valid Samba-Users:
+root, +domuser, +nogroup

Samba Admin-Group:
+root

Machines are added to the group "nogroup" by default. When I first had them 
added to a "machines"-group an account for each computer could be created 
("Welcome to the Domain XXXXX"), but later logon was denied with errors 
refering to missing computer-accounts. Obviously "nobody" has to be among the 
Valid Users because he/she/it does something during the logon process.

The result is, that I can logon at the Domain as "administrator", start the 
NT4 tool usrmgr.exe and can create, delete and change users and groups within 
the domain.  Even my former complaint about the Debian tool "adduser" was 
wrong: with this config it works perfectly. 

Just one litte thing about strange error messages: if I set a password less 
than 5 characters, the usrmrg error is not "password invalid.. too short" or 
something along these lines, but it's: "Access denied!". This is somewhat 
misleading. But the future users of this PDC will have to learn to use 
passwords longer than 4 characters, that can't be helped and won't harm 
them..

I'd be extremly glad if those people here who see some traps (resulting from 
such a config) lying ahead of me could inform me of them. But I'll see them, 
when I'm there..

But the future is bright and interesting and absolutely not harmful :-)

Thank's for the help and hints..

Greetings,
Alexander
-- 
-------------------------------------------
agoeres _at_ lieblinx.net
tel.: +49 (0)30 / 61 20 26 87
fax: +49 (0)30 / 61 20 26 89
-------------------------------------------
lieblinxNET
     we do software
a Marwood & Thiele GbR
-------------------------------------------
reichenberger straße 125
10999 Berlin

http://lieblinx.net
-------------------------------------------

More information about the samba mailing list