[Samba] Samba 3 - domain admins (not root)?

edd payne edd at ulu.lon.ac.uk
Tue Mar 9 12:40:48 GMT 2004

On Tuesday 09 Mar 2004 12:13 pm, Jonathan Baker-Bates TMS wrote:

> > | I'm trying to work out how I can create domain administrators with
> >
> > Samba 3.
> >
> > | I currently have the following in smb.conf
> > |
> > |     domain admin group = @smbadmins
> > |     domain admin users = root jbb
> >
> > You are wrong in Samba3 there is a complete group mapping posibility,
> > not just the possibility of mapping domain admins, like in 2.2.x.
> > So:
> > first)  Remove that two lines from your smb.conf
> > second) Depending on your passdb backend, there could be two cases:
> > A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In
> > this case samba populates its database with all the entries found on a
> > Windows DC, you could see them with net groupmap list. You can (you need
> > to do) modify this default group mappings with net groupmap modify
> > ntgroup=... unixgroup=...
> > B) passdb backend =ldapsam you need to add all the groupmaping by hand
> > with net groupmap add sid=... unixgroup=... Remember: Domain Admins
> > SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests
> > SID=Domain SID-514
> >
> > Good Luck, and have a pleasant experience with Samba3, it is realy a big
> > improvment since the 2.2 line, in many areas.
> Ah, thanks for putting me on the right track - I'm using smbpasswd (we've
> only got about 10 users), and the Samba server *is* the DC, but I've found
> some docs on the samba site so I'm reading them now :-)
> However, I still can't get my user "jbb" to be a domain admin. I'm mapping
> the "smbadmins" group to the NT "Domain Admins" entity like this:
> net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins
> and it says it created the mapping successfully, but when I log onto the
> domain with that account, it doesn't have admin rights. I can see the
> mapping with:
> # net groupmap list ntgroup="Domain Admins"
> Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) -> smbadmins
> and in /etc/group I have smbadmins:x:1004:jbb
> I'm not sure what I'm doing wrong.

you need to use net groupmap modify rather than net groupmap add. the domain 
admins group should have an SID (the S- number) ending in 512 if it is the 
real "Domain Admins" group. delete the mapping you put in and then repeat the 
net groupmap command but use:

net groupmap modify ntgroup="Domain Admins" unixgroup=smbadmins

Then when you do net groupmap list you should get:

Domain Admins (S-1-5-21-3040818230-2349230895-2714603090-512) -> smbadmins

and it should work

you also need to "modify" groups such as Domain Users, Domain Guests, Backup 
Operators etc.


More information about the samba mailing list