SOLUTION Re: [Samba] Domain admins not getting local admin rights

Morgan Toal mtoal at
Fri Jan 28 18:28:45 GMT 2005

OK here's the deal, thanks especially to John for your time today and 
remedial attention :)

My issue, to repeat myself, was that I was logging in as a domain 
administrator on a Windows box, and while I was domain administrator 
just fine, I was not having local administrator rights on that box. For 
example, I could not install software, or change the network connection, 
things like that which are a pain in the keester.

Turns out I had several issues going on, pretty much all relating to the 
fact that I had simply migrated my samba v2.2 configuration in situ and 
expected it to just work, and mostly it just did... mostly...

1. I was still using smbpasswd, and needed to move to tdbsam. Apparently 
  I could have done net groupmaps all day and these are ignored if 
you're not using tdbsam as your authentication mechanism as smbpasswd 
cannot tie together the SIDS and such which results in users 
disconnected with their appropriate group memberships. (correct me if I 
am wrong). So I converted it with:

   pdbedit -i smbpasswd -e tdbsam

This process took all of 2 seconds.

2. I needed to modify the [global] section in my smb.conf to conform to 
v3 features. For example I did not have the "add machine script" 
directive set. I basically copied the one in the "impatient" section of 
the howto. I needed to set "passdb backend = tdbsam" since we're using 
this now.

3. I probably did not need to, but I stopped samba, blew away my old 
/var/cache/samba/group_mapping.tdb and restarted samba.

4. I had to remap my groups, since i nuked group_mapping.tdb:

   net groupmap modify ntgroup="Domain Admins" unixgroup=domainadmin

5. I logged out on my windows box as the domain admin user, and logged 
back in as that same user. Lo and behold, I am local administrator 
again. Whoo-hoo!!! :)

thanks again!


Morgan Toal wrote:
> Hi there,
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
> I then copied /home and fixed all the permissions on stuff.
> I then started up samba on the new server, and unplugged the old one.
> Most everything went smoothly, everyone could log in, we did not have to 
> re-join client comptuters to the domain.
> However, I am not understanding why my domain administrator accounts are 
> now not getting local administrator priveleges when logged in. This 
> always worked fine on Samba 2.2.7a-1!
> I now cannot, when logged in on a W2K workstation as a domain user 
> called "nsu", which is a member of "domain admins", modify files in 
> C:\WINNT, or modify the local registry, etc.
> On a W2K orkstation, In the Local Users and Groups applet I can see that 
> the local "Administrators" does in fact contain "PD/Domain Admins" and 
> it gines a partial listing of the group's SID.
> I cannot confirm if this is the same SID as my SID in samba for "Domain 
> Admins". It should be the same, right? Can anyone suggest a tool I could 
> use to confirm this?
> I *really* don't want to have to add a domain group of people who should 
> be local administrator to the local administrators group on each 
> workstation, as we have quite a number of workstations, so I have not 
> tried this yet...
> Can someone else suggest something for me to check or try? Thanks!
> mtoal

More information about the samba mailing list