SOLUTION Re: [Samba] Domain admins not getting local admin rights
Morgan Toal
mtoal at burlingtoniowa.org
Fri Jan 28 18:28:45 GMT 2005
OK here's the deal, thanks especially to John for your time today and
remedial attention :)
My issue, to repeat myself, was that I was logging in as a domain
administrator on a Windows box, and while I was domain administrator
just fine, I was not having local administrator rights on that box. For
example, I could not install software, or change the network connection,
things like that which are a pain in the keester.
Turns out I had several issues going on, pretty much all relating to the
fact that I had simply migrated my samba v2.2 configuration in situ and
expected it to just work, and mostly it just did... mostly...
1. I was still using smbpasswd, and needed to move to tdbsam. Apparently
I could have done net groupmaps all day and these are ignored if
you're not using tdbsam as your authentication mechanism as smbpasswd
cannot tie together the SIDS and such which results in users
disconnected with their appropriate group memberships. (correct me if I
am wrong). So I converted it with:
pdbedit -i smbpasswd -e tdbsam
This process took all of 2 seconds.
2. I needed to modify the [global] section in my smb.conf to conform to
v3 features. For example I did not have the "add machine script"
directive set. I basically copied the one in the "impatient" section of
the howto. I needed to set "passdb backend = tdbsam" since we're using
this now.
3. I probably did not need to, but I stopped samba, blew away my old
/var/cache/samba/group_mapping.tdb and restarted samba.
4. I had to remap my groups, since i nuked group_mapping.tdb:
net groupmap modify ntgroup="Domain Admins" unixgroup=domainadmin
5. I logged out on my windows box as the domain admin user, and logged
back in as that same user. Lo and behold, I am local administrator
again. Whoo-hoo!!! :)
thanks again!
mtoal
Morgan Toal wrote:
> Hi there,
>
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
>
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
>
> I then copied /home and fixed all the permissions on stuff.
>
> I then started up samba on the new server, and unplugged the old one.
>
> Most everything went smoothly, everyone could log in, we did not have to
> re-join client comptuters to the domain.
>
> However, I am not understanding why my domain administrator accounts are
> now not getting local administrator priveleges when logged in. This
> always worked fine on Samba 2.2.7a-1!
>
> I now cannot, when logged in on a W2K workstation as a domain user
> called "nsu", which is a member of "domain admins", modify files in
> C:\WINNT, or modify the local registry, etc.
>
> On a W2K orkstation, In the Local Users and Groups applet I can see that
> the local "Administrators" does in fact contain "PD/Domain Admins" and
> it gines a partial listing of the group's SID.
>
> I cannot confirm if this is the same SID as my SID in samba for "Domain
> Admins". It should be the same, right? Can anyone suggest a tool I could
> use to confirm this?
>
> I *really* don't want to have to add a domain group of people who should
> be local administrator to the local administrators group on each
> workstation, as we have quite a number of workstations, so I have not
> tried this yet...
>
> Can someone else suggest something for me to check or try? Thanks!
>
> mtoal
More information about the samba
mailing list