[Samba] Domain Admin with tdbsam on 3.0.2a

Gémes Géza geza at kzsdabas.sulinet.hu
Thu Mar 4 07:04:21 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Sorry for having to say that, but you have messed up your group mapping
(you have multiple Domain Admins and other groups, with different sids
and the same name! this would confuse your Windows clients).
Using tdbsam backend Samba already populates its group database with all
the groups which exists by default on a Windows PDC and thus you just
need to map them to existing UNIX groups with net groupmap modify.
What i would suggest is to remove your group mapping tdb, and restart
samba, and it would recreate it, and try out net groupmap modify

Cheers,

Geza
| Firstly I apologise for the length of this query but I am hoping that if I
| document everything I did someone might respond / be able to help.
|
| My Configuration is Samba 3.0.2a as a PDC on Redhat 8. I cannot for the
| life of me get the "Domain Admins" functionality to work
|
| I am hoping that another set of eyes  can shed some light on this problem
| as I have now spent 41 hrs googling / reading samba docs / configuring
| samba and linux.
|
|
| I am using the tdbsam backend
|
| [global]
| ---snip----
| domain master = yes
| local master = yes
| preferred master = yes
| domain logons = yes
| passdb backend = tdbsam
| ---snip----
|
| I have the following unix groups:
|
| GrpName       GID
| ========      ====
| ntadmins      702
| users         100
| mikey         700
| administrator 703
|
| I have the following users:
|
| UsrName	      GID  Primary Group  Groups
| ========      ==== ============   =======================
| mikey	      600  ntadmins       users,root,mikey
| administrator 603  ntadmins       users,root,admnistrator
|
| I have used Pdbedit to add user 'mike' and 'administrator' to the trivial
| database
|
| [root at juan root]# pdbedit -L -v -u mikey Unix username:        mikey
| NT username:
| Account Flags:        [U          ]
| User SID:             S-1-5-21-4105664934-1074514724-3375437219-2200
| Primary Group SID:    S-1-5-21-4105664934-1074514724-3375437219-1201
| Full Name:            Mike Young
| Home Directory:       \\juan\mikey
| HomeDir Drive:        H:
| Logon Script:         logon.bat
| Profile Path:         \\juan\profiles\mikey\0.0.0.0
| Domain:               E-MAGE
| ---snip----
|
| [root at juan root]# pdbedit -L -v -u administrator Unix username:
| administrator
| NT username:
| Account Flags:        [U          ]
| User SID:             S-1-5-21-4105664934-1074514724-3375437219-2206
| Primary Group SID:    S-1-5-21-4105664934-1074514724-3375437219-702
| Full Name:            wrkgrp domain administrator
| Home Directory:       \\juan\administrator
| HomeDir Drive:        H:
| Logon Script:         logon.bat
| Profile Path:         \\juan\profiles\administrator\0.0.0.0
| Domain:               E-MAGE
| ---snip----
|
| I have used net groupmap to add the unix groups
| 'USERS','NOBODY','NTADMINS'
|
| net groupmap add unixgroup=nobody ntgroup="Domain Guests" net groupmap add
| unixgroup=ntadmins ntgroup="Domain Admins" net groupmap add
| unixgroup=users ntgroup="Domain Users"
|
| I have used net groupmap to MAP the unix groups
| 'USERS','NOBODY','NTADMINS' to the NT groups
|
| net groupmap modify ntgroup="Domain Guests" UNIXgroup=nobody net groupmap
| modify ntgroup="Domain Admins" UNIXgroup=nobody net groupmap modify
| ntgroup="Domain Users" UNIXgroup=nobody
|
| When I do a net groupmap list I get:- [root at juan root]# net groupmap list
| System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1
| Guests (S-1-5-32-546) -> -1
| Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-2405) -> ntadmins
| Domain Users (S-1-5-21-4105664934-1074514724-3375437219-1201) -> users
| Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-1199) -> nobody
| Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-512) -> ntadmins
| Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-514) -> nobody
| Domain Users (S-1-5-21-1097365102-1206842487-1930028900-513) -> users
| Power Users (S-1-5-32-547) -> -1
| Print Operators (S-1-5-32-550) -> -1
| Domain Admins (S-1-5-21-50666885-4256340010-4152097897-702) -> ntadmins
| Administrators (S-1-5-32-544) -> -1
| Account Operators (S-1-5-32-548) -> -1 Domain Admins
| (S-1-5-21-50666885-4256340010-4152097897-512) -> -1 Domain Admins
| (S-1-5-21-1097365102-1206842487-1930028900-512) -> -1 Backup Operators
| (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
| Domain Guests (S-1-5-21-1097365102-1206842487-1930028900-514) -> -1 Domain
| Users (S-1-5-21-4105664934-1074514724-3375437219-513) -> -1
|
| I then created the appropriate machine accounts through unix
|
| I then log on to a win2k or XP workstation as a local administrator and
| join the domain as user 'ROOT' and using the user management tool I add my
| DomainName\Domain Admins group to the local administrators group.
|
| I then re-logon to the win2k or XP workstation as the domain user either
| (mike or administrator. These both logon successfuly but are NOT Domain
| Admins or Administrators of the workstation -Why?
|
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFARtT0/PxuIn+i1pIRApheAKCHQhz+2m9tgUxVOgRlJwrKpQkshACeKphM
/OymBgG8fBEpe2qrjwsiDPI=
=3RHU
-----END PGP SIGNATURE-----

More information about the samba mailing list