[Samba] Samba v3.0.11 assigning privileges with custom pdb plugin

Paul Griffith paulg at cs.yorku.ca
Tue Feb 8 20:25:30 GMT 2005 

On Tue, Feb 08, 2005 at 01:08:31PM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Griffith wrote:
> | Greetings,
> |
> | We have home grown user management backend system,
> | and I have ported our v2.2.x passdb over to v3 type plugin.
> | I am able to access files and print using our backend.
> | I am running into trouble joining PCs to the domain.
> |
> | I am assuming the primary problem is that our
> | backend system doesn't have a 'root' user.
> |
> | I was hoping that assigning SeMachineAccountPrivilege
> | to our tech members would be enough to allow our tech
> | members to join computers to our domain.
> |
> ...
> |
> | So the question is it possible to gant rights
> | without using the Samba root user? Any other suggestions?
> 
> Paul,
> 
> Create a group mapping for the Domain Admins group.  E.g.
> 
> net groupmap modify ntgroup="Domain Admins" unixgroup="ntadmins"
> 
> now any member of the ntadmins unix group will be able
> to assign privileges.
> 
> 
> cheers, jerry


Thanks, but still no go.

1 - I am now a member of ntadmins.
 % id
uid=2381(paulg) gid=1000(tech)
groups=1000(tech),512(ntadmins),5001(intern),11000(macadm),32000(tdb),32030(webapp),31002(wwwprism)

2 - as root I then did this:
net groupmap modify ntgroup="Domain Admins" unixgroup="ntadmins"

net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1048414848-xxxxxxxxxxxx-xxxxxxxxxx-512) ->ntadmins
Domain Guests (S-1-5-21-1048414848-xxxxxxxxxxxx-xxxxxxxxxx-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-1048414848-xxxxxxxxxxxxxx-xxxxxxxxxx-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1


3 - Now try to assign SeMachineAccountPrivilege to paulg

net rpc rights grant 'PAULWG\paulg' SeMachineAccountPrivilege
Password:

[2005/02/08 15:19:48, 0, effective(5989, 6000), real(5989, 6000)]
rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call returned zero bytes
  (EOF)
[2005/02/08 15:19:48, 0, effective(5989, 6000), real(5989, 6000)]
rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call returned zero bytes
  (EOF)


Anymore tips or suggestions ?

Thanks
Paul

More information about the samba mailing list