[Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe
James Niven
j.niven at fnics.co.uk
Thu Sep 30 16:33:22 GMT 2004
OK, so it is possible to get it working with a Domain Admin user although I
am not using LDAP (too much of a novice to dare to attempt it).
Running RH9 and Samba 3.0.1a
Here is my net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3006511841-651929057-3908437317-512) -> root
Domain Guests (S-1-5-21-3006511841-651929057-3908437317-514) -> nogroup
Domain Users (S-1-5-21-3006511841-651929057-3908437317-513) -> domusers
Power Users (S-1-5-32-547) -> -1
year_2 (S-1-5-21-3006511841-651929057-3908437317-2051) -> year_2
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> root
year_7 (S-1-5-21-3006511841-651929057-3908437317-2041) -> year_7
year_11 (S-1-5-21-3006511841-651929057-3908437317-2033) -> year_11
staff (S-1-5-21-3006511841-651929057-3908437317-2003) -> staff
year_1 (S-1-5-21-3006511841-651929057-3908437317-2053) -> year_1
year_6 (S-1-5-21-3006511841-651929057-3908437317-2043) -> year_6
year_10 (S-1-5-21-3006511841-651929057-3908437317-2035) -> year_10
Account Operators (S-1-5-32-548) -> -1
year_4 (S-1-5-21-3006511841-651929057-3908437317-2047) -> year_4
year_5 (S-1-5-21-3006511841-651929057-3908437317-2045) -> year_5
year_9 (S-1-5-21-3006511841-651929057-3908437317-2037) -> year_9
year_3 (S-1-5-21-3006511841-651929057-3908437317-2049) -> year_3
year_8 (S-1-5-21-3006511841-651929057-3908437317-2039) -> year_8
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
and here is the pdbedit output for the my user
Unix username: nivenjr
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3006511841-651929057-3908437317-2000
Primary Group SID: S-1-5-21-3006511841-651929057-3908437317-512
Full Name: James Niven
Home Directory: \\susie\nivenjr\.win_profile\
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\susie\profiles\nivenjr\
Domain: OAKFIELD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set: Sun, 21 Mar 2004 09:29:12 GMT
Password can change: Sun, 21 Mar 2004 09:29:12 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
and here is the Global section of my smb.conf
[Global]
# Netbios name is the name other Windows clients will see the PDC as on
the Network Neighbourhood
netbios name = susie
# Workgroup is the name of the domain that windows clients will be
joining
workgroup = OAKFIELD
# Encrypt passwords must be on for a PDC, Windows 95 does not use
encypted passwords...
encrypt passwords = yes
# Set the datbase to be used for user authentication
passdb backend = tdbsam
# Set the PDC to be the master browser for the domain
domain master = yes
# Set the domain to be the local master browser
local master = yes
# and the prefered master browser
preferred master = yes
# this setting will beat the level of all clients on the subnet during a
master browser election
os level = 65
# User level security - required for domain control
security = user
# Allows the PDC to handle logons to the domain
domain logons = yes
# logon path tells Samba where to put Windows NT/2000/XP roaming
profiles
logon path = \\%L\profiles\%U\%m
# Logon batch file to be run - should (read must) include a "net set
time" for proper synchronisation
logon script = logon.bat
# Sets the users home directory to H:
logon drive = H:
# logon home is used to specify home directory and Windows 95/98/Me
roaming profile location
logon home = \\%L\%U\.win_profile\%m
# PDC will act as a nntp time server
time server = yes
# User add script, creates users on the fly
add user script = /usr/sbin/useradd -g 513 -s /bin/false %u
# Add machines on the fly
add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
/bin/false -M %u
# Group Add script
add group script = /usr/local/samba/bin/smbgrpadd.sh "%g"
# Group Delete Script
delete group script = /usr/sbin/groupdel "%g"
# Add User to group Script
add user to group script = /usr/local/samba/bin/addu2g.sh "%u" "%g"
# Delete user from group script
delete user from group script = /usr/local/samba/bin/delu2g.sh "%u" "%g"
In the useradd script group 513 is domuser and in the machineadd script
group 502 is the ntmachine group
I've tried restarting the samba daemon with a higher debug level and I don't
get any messages or errors associated with my ntuser trying to use the
USRMGR program.
I am of course guessing that the problem lies in my samba configuration.
Any suggestions would be much appreciated
TIA
James Niven
> -----Original Message-----
> From: rruegner [mailto:robert at ruegner.org]
> Sent: 30 September 2004 02:14
> To: James Niven
> Cc: samba list
> Subject: Re: [Samba] Samba 3.0, Windows 2k/XP and usrmgr.exe
>
>
> Hi James,
> i use usermgr on win xp serv pack2 to admin many smb domains,
> my account is in the Domain Admin Group, and if i want to use it
> at a not trusted domain i use "run as"
> this work as well with ldap, smbpasswd backend
> I guess somthing in you config isnt right.
> I never use root to do anything, i deligated the most admin stuff to the
> win guys and they doing very well with usrmgr ( sometimes failure
> messages appear , but in real every funktion works )
> Regards
>
> James Niven schrieb:
> > Hi there
> >
> > I've just finished setting my first Samba PDC for 120ish users
> and so far so
> > good, although its only been live for 2 days!!
> >
> > One problem I've come across (actually I had loads but the HOW-TO, Samba
> > archive and google solved most of them) is with usrmgr. There is one XP
> > client that I have installed the NT 4 Server Tools software on for the
> > school IT coordinator (note the phrase 'coordinator', not
> exactly a guru or
> > sysadmin) to use to tidy up user names, passwords etc. We are
> both set up
> > as Domain Admins and have our primary LINUX GID set to 0 (root)
> but neither
> > of us can log in and use the USRMGR.EXE program, it will connect but we
> > can't view, add or delete etc.
> >
> > If I log onto the XP box as root it all works fine, users can be added,
> > deleted, amended etc and of course I could get her to do this or use the
> > server console, su as root and use pdbedit (Yeah, Right!). I've been
> > pulling my already unsubstantial hair out over this all evening
> and had I
> > invested in the Google IPO I'd be a very rich man by now. I've
> spent the
> > evening checking net groupmap list, the unix user list, trying
> to get usrmgr
> > to allow me to tell it who has permissions to add users to the
> domain (comes
> > up with an error about local admins not being able to log in locally),
> > adding domain admins to the local admin group, removing users from the
> > domain admin group and adding them again and generally smoking a lot of
> > cigarettes.
> >
> > So, could someone confirm that usrmgr can only be used fully when logged
> > into a 2k/XP machine as root and that there is no functionality for the
> > domain admin group to do this?
> >
> > On the brightside I successfully migrated from a smbpasswd
> backend to tdbsam
> > tonight so life isn't all that bad!!
> >
> > Many Thanks
> >
> > James Niven
> >
> > ps its my first time so I'm sorry if this has been covered ad nauseam
> > already.
> >
More information about the samba
mailing list