[Samba] Re: Domain admins not getting local admin rights

John H Terpstra jht at Samba.Org
Thu Jan 27 23:22:53 GMT 2005


On Thursday 27 January 2005 16:00, Dana Forte wrote:
> Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
> Delete the one that doesn't match the domain portion of the output of 'net
> getlocalsid', then make sure the one that is left is mapped to the correct
> unixgroup.

Alternately, stop samba then delete the group_mapping.tdb file, restart sam=
ba=20
and then remap your groups. Example:

net groupmap modify ntgroup=3D"Domain Admins" unixgroup=3Dflyingpigs

Cheers,
John T.

>
>
> "Morgan Toal" <mtoal at burlingtoniowa.org> wrote in message
> news:41F9625A.8030609 at burlingtoniowa.org...
>
> > Hi there,
> >
> > I switched servers yesterday.
> > The old server was running 2.2.7a-1 on RedHat 8.0.
> > The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
> >
> > I did the migration by copying the following:
> > /etc/passwd
> > /etc/group
> > /etc/shadow
> > /etc/samba/*
> >
> > I then copied /home and fixed all the permissions on stuff.
> >
> > I then started up samba on the new server, and unplugged the old one.
> >
> > Most everything went smoothly, everyone could log in, we did not have to
> > re-join client comptuters to the domain.
> >
> > However, I am not understanding why my domain administrator accounts are
> > now not getting local administrator priveleges when logged in. This
> > always worked fine on Samba 2.2.7a-1!
> >
> > I now cannot, when logged in on a W2K workstation as a domain user call=
ed
> > "nsu", which is a member of "domain admins", modify files in C:\WINNT, =
or
> > modify the local registry, etc.
> >
> > On a W2K orkstation, In the Local Users and Groupsd8=89 applet I can see
> > that the local "Administrators" does in fact contain "PD/Domain Admins"
> > and it gines a partial listing of the group's SID.
> >
> > I cannot confirm if this is the same SID as my SID in samba for "Domain
> > Admins". It should be the same, right? Can anyone suggest a tool I could
> > use to confirm this?
> >
> > I *really* don't want to have to add a domain group of people who should
> > be local administrator to the local administrators group on each
> > workstation, as we have quite a number of workstations, so I have not
> > tried this yet...
> >
> > Can someone else suggest something for me to check or try? Thanks!
> >
> > mtoal
> >
> > -----------------------------------------------------------------------=
=2D-
> >----------------
> >
> > [root at pd1 ~]# net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
> > Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) ->
> > domainadmin
> > Replicators (S-1-5-32-552) -> -1
> > Guests (S-1-5-32-546) -> -1
> > Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
> > Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
> > Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
> > Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
> > Power Users (S-1-5-32-547) -> -1
> > Print Operators (S-1-5-32-550) -> domainadmin
> > Administrators (S-1-5-32-544) -> domainadmin
> > cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
> > Account Operators (S-1-5-32-548) -> -1
> > seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> >
> > -----------------------------------------------------------------------=
=2D-
> >----------------
> >
> > [root at pd1 ~]# cat /etc/samba/smb.conf
> >
> > log level =3D 4
> >
> > netbios name =3D pd1
> > workgroup =3D pd
> >
> > os level =3D 200
> > preferred master =3D no
> > domain master =3D yes
> > local master =3D no
> >
> > wins support =3D no
> > wins server =3D 192.168.18.14
> > name resolve order =3D wins lmhosts
> > enhanced browsing =3D no
> >
> > security =3D user
> > encrypt passwords =3D yes
> >
> > domain logons =3D yes
> > logon path =3D
> > logon drive =3D Z:
> > logon home =3D \\%L\%u
> > logon script =3D logon.bat
> >
> > add user script =3D /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false=
 -M
> > %u
> >
> > use client driver =3D yes
> >
> > host msdfs =3D yes
> >
> > guest account =3D guest
> > map to guest =3D bad user
> >
> > username map =3D /etc/samba/smbusers
> > admin users =3D @domainadmin
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba

=2D-=20
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.


More information about the samba mailing list