[Samba] Samba 3 - domain admins (not root)?

Jonathan Baker-Bates TMS jonathan at themusicsolution.com
Tue Mar 9 12:13:07 GMT 2004

----- Original Message ----- 
From: "Gémes Géza" <geza at kzsdabas.sulinet.hu>
To: "Jonathan Baker-Bates TMS" <jonathan at themusicsolution.com>
Cc: <samba at lists.samba.org>
Sent: Monday, March 08, 2004 6:25 PM
Subject: Re: [Samba] Samba 3 - domain admins (not root)?

> Hash: SHA1
> Jonathan Baker-Bates TMS írta:
> | I'm trying to work out how I can create domain administrators with
> Samba 3.
> |
> | I currently have the following in smb.conf
> |
> |     domain admin group = @smbadmins
> |     domain admin users = root jbb
> You are wrong in Samba3 there is a complete group mapping posibility,
> not just the possibility of mapping domain admins, like in 2.2.x.
> So:
> first)  Remove that two lines from your smb.conf
> second) Depending on your passdb backend, there could be two cases:
> A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In
> this case samba populates its database with all the entries found on a
> Windows DC, you could see them with net groupmap list. You can (you need
> to do) modify this default group mappings with net groupmap modify
> ntgroup=... unixgroup=...
> B) passdb backend =ldapsam you need to add all the groupmaping by hand
> with net groupmap add sid=... unixgroup=... Remember: Domain Admins
> SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests
> SID=Domain SID-514
> Good Luck, and have a pleasant experience with Samba3, it is realy a big
> improvment since the 2.2 line, in many areas.

Ah, thanks for putting me on the right track - I'm using smbpasswd (we've
only got about 10 users), and the Samba server *is* the DC, but I've found
some docs on the samba site so I'm reading them now :-)

However, I still can't get my user "jbb" to be a domain admin. I'm mapping
the "smbadmins" group to the NT "Domain Admins" entity like this:

net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins

and it says it created the mapping successfully, but when I log onto the
domain with that account, it doesn't have admin rights. I can see the
mapping with:

# net groupmap list ntgroup="Domain Admins"
Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) -> smbadmins

and in /etc/group I have smbadmins:x:1004:jbb

I'm not sure what I'm doing wrong.


More information about the samba mailing list