[Samba] Re: Domain admins not getting local admin rights

Morgan Toal mtoal at burlingtoniowa.org
Fri Jan 28 15:33:30 GMT 2005 

Hi there,

Thanks to everyone for their suggestions.

Unfortunately, I must be missing something, I did delete the 
group_mappings.tdb and re-create my groups. This has not improved the 
situation unfortunately.

Where else might I look?

An aside question: how can I be sure, from the perspective of the 
Windows workstation, what exactly Windows sees my group 
memberships/priveleges? I don't know of a way to determine this, some 
little utility or applet?

Thanks,

mtoal


John H Terpstra wrote:
> On Thursday 27 January 2005 16:00, Dana Forte wrote:
> 
>>Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
>>Delete the one that doesn't match the domain portion of the output of 'net
>>getlocalsid', then make sure the one that is left is mapped to the correct
>>unixgroup.
> 
> 
> Alternately, stop samba then delete the group_mapping.tdb file, restart samba 
> and then remap your groups. Example:
> 
> net groupmap modify ntgroup="Domain Admins" unixgroup=flyingpigs
> 
> Cheers,
> John T.
> 
> 
>>
>>"Morgan Toal" <mtoal at burlingtoniowa.org> wrote in message
>>news:41F9625A.8030609 at burlingtoniowa.org...
>>
>>
>>>Hi there,
>>>
>>>I switched servers yesterday.
>>>The old server was running 2.2.7a-1 on RedHat 8.0.
>>>The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
>>>
>>>I did the migration by copying the following:
>>>/etc/passwd
>>>/etc/group
>>>/etc/shadow
>>>/etc/samba/*
>>>
>>>I then copied /home and fixed all the permissions on stuff.
>>>
>>>I then started up samba on the new server, and unplugged the old one.
>>>
>>>Most everything went smoothly, everyone could log in, we did not have to
>>>re-join client comptuters to the domain.
>>>
>>>However, I am not understanding why my domain administrator accounts are
>>>now not getting local administrator priveleges when logged in. This
>>>always worked fine on Samba 2.2.7a-1!
>>>
>>>I now cannot, when logged in on a W2K workstation as a domain user called
>>>"nsu", which is a member of "domain admins", modify files in C:\WINNT, or
>>>modify the local registry, etc.
>>>
>>>On a W2K orkstation, In the Local Users and Groupsd8� applet I can see
>>>that the local "Administrators" does in fact contain "PD/Domain Admins"
>>>and it gines a partial listing of the group's SID.
>>>
>>>I cannot confirm if this is the same SID as my SID in samba for "Domain
>>>Admins". It should be the same, right? Can anyone suggest a tool I could
>>>use to confirm this?
>>>
>>>I *really* don't want to have to add a domain group of people who should
>>>be local administrator to the local administrators group on each
>>>workstation, as we have quite a number of workstations, so I have not
>>>tried this yet...
>>>
>>>Can someone else suggest something for me to check or try? Thanks!
>>>
>>>mtoal
>>>
>>>-------------------------------------------------------------------------
>>>----------------
>>>
>>>[root at pd1 ~]# net groupmap list
>>>System Operators (S-1-5-32-549) -> -1
>>>Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
>>>Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) ->
>>>domainadmin
>>>Replicators (S-1-5-32-552) -> -1
>>>Guests (S-1-5-32-546) -> -1
>>>Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
>>>Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
>>>Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
>>>Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
>>>Power Users (S-1-5-32-547) -> -1
>>>Print Operators (S-1-5-32-550) -> domainadmin
>>>Administrators (S-1-5-32-544) -> domainadmin
>>>cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
>>>Account Operators (S-1-5-32-548) -> -1
>>>seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
>>>Backup Operators (S-1-5-32-551) -> -1
>>>Users (S-1-5-32-545) -> -1
>>>
>>>-------------------------------------------------------------------------
>>>----------------
>>>
>>>[root at pd1 ~]# cat /etc/samba/smb.conf
>>>
>>>log level = 4
>>>
>>>netbios name = pd1
>>>workgroup = pd
>>>
>>>os level = 200
>>>preferred master = no
>>>domain master = yes
>>>local master = no
>>>
>>>wins support = no
>>>wins server = 192.168.18.14
>>>name resolve order = wins lmhosts
>>>enhanced browsing = no
>>>
>>>security = user
>>>encrypt passwords = yes
>>>
>>>domain logons = yes
>>>logon path =
>>>logon drive = Z:
>>>logon home = \\%L\%u
>>>logon script = logon.bat
>>>
>>>add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
>>>%u
>>>
>>>use client driver = yes
>>>
>>>host msdfs = yes
>>>
>>>guest account = guest
>>>map to guest = bad user
>>>
>>>username map = /etc/samba/smbusers
>>>admin users = @domainadmin
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
>

More information about the samba mailing list