[Samba] Permissions problem/misunderstanding ... "Domain Admins"
vs. Administrators
Steve Williams
steve at celineandsteve.com
Wed Jul 20 22:39:17 GMT 2005
Hi,
Using Samba 3.0.14a and AIX 4.3, I have been able to join PC's to the
domain without any problem. It "just works". I am using local profiles,
and serving login batch files from the server, and that "just works". So
far, I'm a happy camper.
Now, I am trying to understand permissions so that I can
actually use the "moveuser.exe" command from the "Windows Server 2003
Resource Kit Tools"
(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en).
This is on Windows XP Pro SP2 with all recent patches.
I am trying to "Copy" the existing local user profile to the Doman so they
retain their desktop & favorites, etc. The "moveuser" command says that
it needs to run with the permissions of someone able to write the profile.
So, I figure a user in the "Domain Admins" group should be able to do
this. Have complete access to the local PC and complete access to the
Samba server. I keep getting a "Permission Denied" error.
Here's the lead up:
Following the directions in the Samba3-HOWTO.pdf (page 226), I created a
group "domadm" in /etc/groups consisting of:
domadm:!:1000:keith,root,steve
Then, I did a:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm
on the AIX Server:
AIX# net rpc group
Password:
Domain Admin
System Operators
Replicators
Guests
Power Users
Print Operators
Administrators
Account Operators
Backup Operators
Users
and:
AIX# net rpc group members "Domain Admins"
Password:
AIXDOM\keith
AIXDOM\root
AIXDOM\steve
So, that all looks fine. From the Windows XP SP2 server:
C:\>net localgroup
Aliases for \\OKE_OFFICE
-----------------------------------
*Administrators
*Backup Operators
*BCMUsers
*Debugger Users
*Guests
*HelpServicesGroup
*Network Configuration Operators
*Power Users
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.
and
C:\>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the
compu
ter/domain
Members
-----------------------------------------------------------------------
Administrator
Dianne
AIXDOM\Domain Admins
The command completed successfully.
and again from the XP SP2 box:
C:\>net group "Domain Admins" /domain
The request will be processed at a domain controller for domain AIXDOM.
Group name Domain Admins
Comment Domain Unix group
Members
---------------------------------------------------------------------------
keith root steve
The command completed successfully.
Ok, so as far as I can tell, the connectivity is all the way through.
I do have a username map for Administrator to "root" (I know 3.0.14a does
not need "root", but I am trying to narrow the options for me screwing
up).
But if I log onto the XP SP2 workstation as "root" and the appropriate
password, everything seems sane. In my mind, I should now have the same
power as the local "Administrator" user on that PC.
However, I if I browse the My Computer, I CANNOT go into any other user's
"Document and Settings" folder other than root's. I think there is
something very very wrong here, but I cannot figure out for the life of me
what it is! If I log in as Administrator to the local workstation, I can
access everywhere on the drive... This is driving me crazy! I missing
some subtle piece of the puzzle... or maybe not so subtle! lol..
Hum... one other piece of (perhaps) relevant information is that I am
running smbpasswd backend for now. I cannot upgrade because the samba
password file has about 250 users that are not in the /etc/groups. When I
import the smbpasswd into the tdbsam, I get lots of errors & ppl cannot
log on :-( That will be my next thing, awk script to clean the smbpasswd
file (relative to the /etc/passwd file).
Does anyone have ANY advice?
Thanks,
Steve Williams
More information about the samba
mailing list