[Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe

James Niven j.niven at fnics.co.uk
Thu Sep 30 16:33:22 GMT 2004

OK, so it is possible to get it working with a Domain Admin user although I
am not using LDAP (too much of a novice to dare to attempt it).

Running RH9 and Samba 3.0.1a

Here is my net groupmap list

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3006511841-651929057-3908437317-512) -> root
Domain Guests (S-1-5-21-3006511841-651929057-3908437317-514) -> nogroup
Domain Users (S-1-5-21-3006511841-651929057-3908437317-513) -> domusers
Power Users (S-1-5-32-547) -> -1
year_2 (S-1-5-21-3006511841-651929057-3908437317-2051) -> year_2
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> root
year_7 (S-1-5-21-3006511841-651929057-3908437317-2041) -> year_7
year_11 (S-1-5-21-3006511841-651929057-3908437317-2033) -> year_11
staff (S-1-5-21-3006511841-651929057-3908437317-2003) -> staff
year_1 (S-1-5-21-3006511841-651929057-3908437317-2053) -> year_1
year_6 (S-1-5-21-3006511841-651929057-3908437317-2043) -> year_6
year_10 (S-1-5-21-3006511841-651929057-3908437317-2035) -> year_10
Account Operators (S-1-5-32-548) -> -1
year_4 (S-1-5-21-3006511841-651929057-3908437317-2047) -> year_4
year_5 (S-1-5-21-3006511841-651929057-3908437317-2045) -> year_5
year_9 (S-1-5-21-3006511841-651929057-3908437317-2037) -> year_9
year_3 (S-1-5-21-3006511841-651929057-3908437317-2049) -> year_3
year_8 (S-1-5-21-3006511841-651929057-3908437317-2039) -> year_8
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

and here is the pdbedit output for the my user

Unix username:        nivenjr
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-3006511841-651929057-3908437317-2000
Primary Group SID:    S-1-5-21-3006511841-651929057-3908437317-512
Full Name:            James Niven
Home Directory:       \\susie\nivenjr\.win_profile\
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\susie\profiles\nivenjr\
Domain:               OAKFIELD
Account desc:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
Password last set:    Sun, 21 Mar 2004 09:29:12 GMT
Password can change:  Sun, 21 Mar 2004 09:29:12 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT

and here is the Global section of my smb.conf

    # Netbios name is the name other Windows clients will see the PDC as on
the Network Neighbourhood
    netbios name = susie
    # Workgroup is the name of the domain that windows clients will be
    workgroup = OAKFIELD
    # Encrypt passwords must be on for a PDC, Windows 95 does not use
encypted passwords...
    encrypt passwords = yes
    # Set the datbase to be used for user authentication
    passdb backend = tdbsam

    # Set the PDC to be the master browser for the domain
    domain master = yes
    # Set the domain to be the local master browser
    local master = yes
    # and the prefered master browser
    preferred master = yes
    # this setting will beat the level of all clients on the subnet during a
master browser election
    os level = 65

    # User level security - required for domain control
    security = user
    # Allows the PDC to handle logons to the domain
    domain logons = yes

    # logon path tells Samba where to put Windows NT/2000/XP roaming
    logon path = \\%L\profiles\%U\%m
    # Logon batch file to be run - should (read must) include a "net set
time" for proper synchronisation
     logon script = logon.bat

    # Sets the users home directory to H:
    logon drive = H:
    # logon home is used to specify home directory and Windows 95/98/Me
roaming profile location
    logon home = \\%L\%U\.win_profile\%m

    # PDC will act as a nntp time server
    time server = yes

    # User add script, creates users on the fly
    add user script = /usr/sbin/useradd -g 513 -s /bin/false %u

    # Add machines on the fly
    add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
/bin/false -M %u
    # Group Add script
    add group script = /usr/local/samba/bin/smbgrpadd.sh "%g"

   # Group Delete Script
   delete group script = /usr/sbin/groupdel "%g"

   # Add User to group Script
   add user to group script = /usr/local/samba/bin/addu2g.sh "%u" "%g"

   # Delete user from group script
   delete user from group script = /usr/local/samba/bin/delu2g.sh "%u" "%g"

In the useradd script group 513 is domuser and in the machineadd script
group 502 is the ntmachine group

I've tried restarting the samba daemon with a higher debug level and I don't
get any messages or errors associated with my ntuser trying to use the
USRMGR program.

I am of course guessing that the problem lies in my samba configuration.
Any suggestions would be much appreciated


James Niven

> -----Original Message-----
> From: rruegner [mailto:robert at ruegner.org]
> Sent: 30 September 2004 02:14
> To: James Niven
> Cc: samba list
> Subject: Re: [Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe
> Hi James,
> i use usermgr on win xp serv pack2 to admin many smb domains,
> my account is in the Domain Admin Group, and if i want to use it
> at a not trusted domain i use "run as"
> this work as well with ldap, smbpasswd backend
> I guess somthing in you config isnt right.
> I never use root to do anything, i deligated the most admin stuff to the
> win guys and they doing very well with usrmgr ( sometimes failure
> messages appear , but in real every funktion  works )
> Regards
> James Niven schrieb:
> > Hi there
> >
> > I've just finished setting my first Samba PDC for 120ish users
> and so far so
> > good, although its only been live for 2 days!!
> >
> > One problem I've come across (actually I had loads but the HOW-TO, Samba
> > archive and google solved most of them) is with usrmgr.  There is one XP
> > client that I have installed the NT 4 Server Tools software on for the
> > school IT coordinator (note the phrase 'coordinator', not
> exactly a guru or
> > sysadmin) to use to tidy up user names, passwords etc.  We are
> both set up
> > as Domain Admins and have our primary LINUX GID set to 0 (root)
> but neither
> > of us can log in and use the USRMGR.EXE program, it will connect but we
> > can't view, add or delete etc.
> >
> > If I log onto the XP box as root it all works fine, users can be added,
> > deleted, amended etc and of course I could get her to do this or use the
> > server console, su as root and use pdbedit (Yeah, Right!).  I've been
> > pulling my already unsubstantial hair out over this all evening
> and had I
> > invested in the Google IPO I'd be a very rich man by now.  I've
> spent the
> > evening checking net groupmap list, the unix user list, trying
> to get usrmgr
> > to allow me to tell it who has permissions to add users to the
> domain (comes
> > up with an error about local admins not being able to log in locally),
> > adding domain admins to the local admin group, removing users from the
> > domain admin group and adding them again and generally smoking a lot of
> > cigarettes.
> >
> > So, could someone confirm that usrmgr can only be used fully when logged
> > into a 2k/XP machine as root and that there is no functionality for the
> > domain admin group to do this?
> >
> > On the brightside I successfully migrated from a smbpasswd
> backend to tdbsam
> > tonight so life isn't all that bad!!
> >
> > Many Thanks
> >
> > James Niven
> >
> > ps  its my first time so I'm sorry if this has been covered ad nauseam
> > already.
> >

More information about the samba mailing list