[Samba] Re: Domain admins not getting local admin rights

Dana Forte danaf at vtnnv.com
Thu Jan 27 23:00:13 GMT 2005


Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
Delete the one that doesn't match the domain portion of the output of 'net 
getlocalsid', then make sure the one that is left is mapped to the correct 
unixgroup.


"Morgan Toal" <mtoal at burlingtoniowa.org> wrote in message 
news:41F9625A.8030609 at burlingtoniowa.org...
> Hi there,
>
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
>
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
>
> I then copied /home and fixed all the permissions on stuff.
>
> I then started up samba on the new server, and unplugged the old one.
>
> Most everything went smoothly, everyone could log in, we did not have to 
> re-join client comptuters to the domain.
>
> However, I am not understanding why my domain administrator accounts are 
> now not getting local administrator priveleges when logged in. This always 
> worked fine on Samba 2.2.7a-1!
>
> I now cannot, when logged in on a W2K workstation as a domain user called 
> "nsu", which is a member of "domain admins", modify files in C:\WINNT, or 
> modify the local registry, etc.
>
> On a W2K orkstation, In the Local Users and Groups applet I can see that 
> the local "Administrators" does in fact contain "PD/Domain Admins" and it 
> gines a partial listing of the group's SID.
>
> I cannot confirm if this is the same SID as my SID in samba for "Domain 
> Admins". It should be the same, right? Can anyone suggest a tool I could 
> use to confirm this?
>
> I *really* don't want to have to add a domain group of people who should 
> be local administrator to the local administrators group on each 
> workstation, as we have quite a number of workstations, so I have not 
> tried this yet...
>
> Can someone else suggest something for me to check or try? Thanks!
>
> mtoal
>
> -----------------------------------------------------------------------------------------
>
> [root at pd1 ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
> Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> 
> domainadmin
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
> Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
> Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
> Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> domainadmin
> Administrators (S-1-5-32-544) -> domainadmin
> cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
> Account Operators (S-1-5-32-548) -> -1
> seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> -----------------------------------------------------------------------------------------
>
> [root at pd1 ~]# cat /etc/samba/smb.conf
>
> log level = 4
>
> netbios name = pd1
> workgroup = pd
>
> os level = 200
> preferred master = no
> domain master = yes
> local master = no
>
> wins support = no
> wins server = 192.168.18.14
> name resolve order = wins lmhosts
> enhanced browsing = no
>
> security = user
> encrypt passwords = yes
>
> domain logons = yes
> logon path =
> logon drive = Z:
> logon home = \\%L\%u
> logon script = logon.bat
>
> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
> %u
>
> use client driver = yes
>
> host msdfs = yes
>
> guest account = guest
> map to guest = bad user
>
> username map = /etc/samba/smbusers
> admin users = @domainadmin
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 





More information about the samba mailing list