[Samba] Domain admins not getting local admin rights

Morgan Toal mtoal at burlingtoniowa.org
Thu Jan 27 21:51:22 GMT 2005

Hi there,

I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.

I did the migration by copying the following:

I then copied /home and fixed all the permissions on stuff.

I then started up samba on the new server, and unplugged the old one.

Most everything went smoothly, everyone could log in, we did not have to 
re-join client comptuters to the domain.

However, I am not understanding why my domain administrator accounts are 
now not getting local administrator priveleges when logged in. This 
always worked fine on Samba 2.2.7a-1!

I now cannot, when logged in on a W2K workstation as a domain user 
called "nsu", which is a member of "domain admins", modify files in 
C:\WINNT, or modify the local registry, etc.

On a W2K orkstation, In the Local Users and Groups applet I can see that 
the local "Administrators" does in fact contain "PD/Domain Admins" and 
it gines a partial listing of the group's SID.

I cannot confirm if this is the same SID as my SID in samba for "Domain 
Admins". It should be the same, right? Can anyone suggest a tool I could 
use to confirm this?

I *really* don't want to have to add a domain group of people who should 
be local administrator to the local administrators group on each 
workstation, as we have quite a number of workstations, so I have not 
tried this yet...

Can someone else suggest something for me to check or try? Thanks!



[root at pd1 ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1


[root at pd1 ~]# cat /etc/samba/smb.conf

log level = 4

netbios name = pd1
workgroup = pd

os level = 200
preferred master = no
domain master = yes
local master = no

wins support = no
wins server =
name resolve order = wins lmhosts
enhanced browsing = no

security = user
encrypt passwords = yes

domain logons = yes
logon path =
logon drive = Z:
logon home = \\%L\%u
logon script = logon.bat

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

use client driver = yes

host msdfs = yes

guest account = guest
map to guest = bad user

username map = /etc/samba/smbusers
admin users = @domainadmin

More information about the samba mailing list