[Samba] Samba 3 - domain admins (not root)?

Tue Mar 9 14:15:39 GMT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gémes Géza írta:
| edd payne írta:
| | On Tuesday 09 Mar 2004 12:13 pm, Jonathan Baker-Bates TMS wrote:
| |
| |
| |>>| I'm trying to work out how I can create domain administrators with
| |>>
| |>>Samba 3.
| |>>
| |>>| I currently have the following in smb.conf
| |>>|
| |>>|     domain admin group = @smbadmins
| |>>|     domain admin users = root jbb
| |>>
| |>>You are wrong in Samba3 there is a complete group mapping posibility,
| |>>not just the possibility of mapping domain admins, like in 2.2.x.
| |>>So:
| |>>first)  Remove that two lines from your smb.conf
| |>>second) Depending on your passdb backend, there could be two cases:
| |>>A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In
| |>>this case samba populates its database with all the entries found on a
| |>>Windows DC, you could see them with net groupmap list. You can (you
need
| |>>to do) modify this default group mappings with net groupmap modify
| |>>ntgroup=... unixgroup=...
| |>>B) passdb backend =ldapsam you need to add all the groupmaping by hand
| |>>with net groupmap add sid=... unixgroup=... Remember: Domain Admins
| |>>SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests
| |>>SID=Domain SID-514
| |>>
| |>>Good Luck, and have a pleasant experience with Samba3, it is realy
a big
| |>>improvment since the 2.2 line, in many areas.
| |>
| |>Ah, thanks for putting me on the right track - I'm using smbpasswd
(we've
| |>only got about 10 users), and the Samba server *is* the DC, but I've
| found
| |>some docs on the samba site so I'm reading them now :-)
| |>
| |>However, I still can't get my user "jbb" to be a domain admin. I'm
| mapping
| |>the "smbadmins" group to the NT "Domain Admins" entity like this:
| |>
| |>net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins
| |>
| |>and it says it created the mapping successfully, but when I log onto the
| |>domain with that account, it doesn't have admin rights. I can see the
| |>mapping with:
| |>
| |># net groupmap list ntgroup="Domain Admins"
| |>Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) ->
| smbadmins
| |>
| |>and in /etc/group I have smbadmins:x:1004:jbb
| |>
| |>I'm not sure what I'm doing wrong.
| |
| |
| | you need to use net groupmap modify rather than net groupmap add. the
| domain
| | admins group should have an SID (the S- number) ending in 512 if it is
| the
| | real "Domain Admins" group. delete the mapping you put in and then
| repeat the
| | net groupmap command but use:
| |
| | net groupmap modify ntgroup="Domain Admins" unixgroup=smbadmins
| |
| | Then when you do net groupmap list you should get:
| |
| | Domain Admins (S-1-5-21-3040818230-2349230895-2714603090-512) ->
| smbadmins
| |
| | and it should work
| |
| | you also need to "modify" groups such as Domain Users, Domain Guests,
| Backup
| | Operators etc.
| |
| | edd
| |
| Just as a completion I've cuted and pasted the most important parts of
| my test systems (the production one is using ldap and has just Domain
| Users, Domain Admins, Domain Guests, besides a lot of self created group
| mappings, like students->students, and alike
| net groupmap list's output:
|
| System Operators (S-1-5-32-549) -> daemon

Sorry I've just found the following line in my e-mail, after sending it,
please ignore it.
!!!!!!!!!!!!!!!!!!!******* looser
(S-1-5-21-4109351342-2997801466-301355879-2007) -> looser
******!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

| Replicators (S-1-5-32-552) -> disk
| Guests (S-1-5-32-546) -> nogroup
| Power Users (S-1-5-32-547) -> wheel
| Domain Users (S-1-5-21-4109351342-2997801466-301355879-513) -> users
| Print Operators (S-1-5-32-550) -> lp
| Administrators (S-1-5-32-544) -> root
| Domain Admins (S-1-5-21-4109351342-2997801466-301355879-512) -> adm
| Domain Guests (S-1-5-21-4109351342-2997801466-301355879-514) -> nogroup
| Account Operators (S-1-5-32-548) -> adm
| Backup Operators (S-1-5-32-551) -> daemon
| Users (S-1-5-32-545) -> users
|
| You can see, that there are two kind of groups:
| local groups with SID=S-1-5-32-groupRID
| and
| domain groups with SID=DOMAINSID-groupRID
| for having a correctly working Samba PDC you NEED to map the Domain
| groups to existing UNIX groups, whoose members will become then Domain
| Admins, Domain Users and Domain Guests, and whatever other groups you
| would want to add to the group mapping.
|
| Cheers,
|
| Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFATdGL/PxuIn+i1pIRAgFDAJ9MRG6M5dc2lEsYnYIoyoN9bLoCfwCdFgro
fK/lKE8FzCHp8Fs2I4zPaa0=
=+l5t
-----END PGP SIGNATURE-----