[Samba] 3.0.8pre2 and domain admins question

Robert M. Martel bob at urban.csuohio.edu
Fri Nov 5 15:29:16 GMT 2004


       I have been playing with 3.0.8rc2 on a test machine to get ready 
to upgrade my samba 2 PDC to Samba 3.

       I ran across an issue with mapping the domain admin group to a 
local UNIX group on the server and I wanted to know if the behavior I 
saw was normal or not.

       The Samba server is a Sun ultra 1 running Solaris 9, user and 
group information is kept in plain old /etc/passwd, /etc/shadow, and 

My group mappings look like:
Domain Admins (S-1-5-21-4122618152-3960105789-1472380918-512) -> ntadmin
Domain Guests (S-1-5-21-4122618152-3960105789-1472380918-514) -> nobody
Domain Users (S-1-5-21-4122618152-3960105789-1472380918-513) -> staff

       My test user was a member of the ntadmin group - BUT it was NOT 
the primary group for that account (the primary group was staff.) Every 
time I logged in as the test user the windows machine refused to accept 
the test user as an administrator.

       I  tried changing the test user's primary group to a group other 
than the one mapped to "Domain Users" in case Samba/Windows was 
selecting the most restrictive group membership for use - but that did 
not make a difference.

       When I changed the test user's primary group to ntadmin, then the 
windows client accepted the test user as an administrator.

	So, now my questions - I did not read anything in the chapter 11 of the 
manual that covered this.

        Is this the expected behavior?

        Does Samba not look at secondary group memberships for accounts?

        Is this something odd because I am on a Solaris box?  (hey, it 
has happened before.)

	Bob Martel

Bob Martel,System Administrator  I met someone who looks a lot like you
Levin College of Urban Affairs   She does the things you do
Cleveland State University       But she is an IBM
(216) 687-2214
bob at urban.csuohio.edu                                -Jeff Lynne

More information about the samba mailing list