[Samba] Domain Admin with tdbsam on 3.0.2a

Mike Young mikey at e-mage.com.au
Thu Mar 4 06:10:14 GMT 2004 

Firstly I apologise for the length of this query but I am hoping that if I
document everything I did someone might respond / be able to help.

My Configuration is Samba 3.0.2a as a PDC on Redhat 8. I cannot for the
life of me get the "Domain Admins" functionality to work

I am hoping that another set of eyes  can shed some light on this problem
as I have now spent 41 hrs googling / reading samba docs / configuring
samba and linux.


I am using the tdbsam backend

[global]
---snip----
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
passdb backend = tdbsam
---snip----

I have the following unix groups:

GrpName       GID
========      ====
ntadmins      702
users         100
mikey         700
administrator 703

I have the following users:

UsrName	      GID  Primary Group  Groups
========      ==== ============   ======================= 
mikey	      600  ntadmins       users,root,mikey
administrator 603  ntadmins       users,root,admnistrator

I have used Pdbedit to add user 'mike' and 'administrator' to the trivial
database

[root at juan root]# pdbedit -L -v -u mikey Unix username:        mikey
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-4105664934-1074514724-3375437219-2200
Primary Group SID:    S-1-5-21-4105664934-1074514724-3375437219-1201
Full Name:            Mike Young
Home Directory:       \\juan\mikey
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\mikey\0.0.0.0
Domain:               E-MAGE
---snip----

[root at juan root]# pdbedit -L -v -u administrator Unix username:       
administrator
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-4105664934-1074514724-3375437219-2206
Primary Group SID:    S-1-5-21-4105664934-1074514724-3375437219-702 
Full Name:            wrkgrp domain administrator
Home Directory:       \\juan\administrator 
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\administrator\0.0.0.0
Domain:               E-MAGE
---snip----

I have used net groupmap to add the unix groups
'USERS','NOBODY','NTADMINS'

net groupmap add unixgroup=nobody ntgroup="Domain Guests" net groupmap add
unixgroup=ntadmins ntgroup="Domain Admins" net groupmap add
unixgroup=users ntgroup="Domain Users"

I have used net groupmap to MAP the unix groups
'USERS','NOBODY','NTADMINS' to the NT groups

net groupmap modify ntgroup="Domain Guests" UNIXgroup=nobody net groupmap
modify ntgroup="Domain Admins" UNIXgroup=nobody net groupmap modify
ntgroup="Domain Users" UNIXgroup=nobody

When I do a net groupmap list I get:- [root at juan root]# net groupmap list
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-2405) -> ntadmins
Domain Users (S-1-5-21-4105664934-1074514724-3375437219-1201) -> users
Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-1199) -> nobody
Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-512) -> ntadmins
Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-514) -> nobody
Domain Users (S-1-5-21-1097365102-1206842487-1930028900-513) -> users
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Domain Admins (S-1-5-21-50666885-4256340010-4152097897-702) -> ntadmins
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1 Domain Admins
(S-1-5-21-50666885-4256340010-4152097897-512) -> -1 Domain Admins
(S-1-5-21-1097365102-1206842487-1930028900-512) -> -1 Backup Operators
(S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-1097365102-1206842487-1930028900-514) -> -1 Domain
Users (S-1-5-21-4105664934-1074514724-3375437219-513) -> -1

I then created the appropriate machine accounts through unix

I then log on to a win2k or XP workstation as a local administrator and
join the domain as user 'ROOT' and using the user management tool I add my
DomainName\Domain Admins group to the local administrators group.

I then re-logon to the win2k or XP workstation as the domain user either
(mike or administrator. These both logon successfuly but are NOT Domain
Admins or Administrators of the workstation -Why?

More information about the samba mailing list