[Samba] Permissions problem/misunderstanding ... "Domain Admins" vs. Administrators

Steve Williams steve at celineandsteve.com
Wed Jul 20 22:39:17 GMT 2005


Hi,

Using Samba 3.0.14a and AIX 4.3, I have been able to join PC's to the
domain without any problem.  It "just works".  I am using local profiles,
and serving login batch files from the server, and that "just works".  So
far, I'm a happy camper.

Now, I am trying to understand permissions so that I can
actually use the "moveuser.exe" command from the "Windows Server 2003
Resource Kit Tools"
(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en).
 This is on Windows XP Pro SP2 with all recent patches.

I am trying to "Copy" the existing local user profile to the Doman so they
retain their desktop & favorites, etc.  The "moveuser" command says that
it needs to run with the permissions of someone able to write the profile.
 So, I figure a user in the "Domain Admins" group should be able to do
this.  Have complete access to the local PC and complete access to the
Samba server.  I keep getting a "Permission Denied" error.

Here's the lead up:

Following the directions in the Samba3-HOWTO.pdf (page 226), I created a
group "domadm" in /etc/groups consisting of:

domadm:!:1000:keith,root,steve

Then, I did a:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm

on the AIX Server:
AIX# net rpc group
Password:
Domain Admin
System Operators
Replicators
Guests
Power Users
Print Operators
Administrators
Account Operators
Backup Operators
Users

and:
AIX# net rpc group members "Domain Admins"
Password:
AIXDOM\keith
AIXDOM\root
AIXDOM\steve

So, that all looks fine.  From the Windows XP SP2 server:
C:\>net localgroup

Aliases for \\OKE_OFFICE

-----------------------------------
*Administrators
*Backup Operators
*BCMUsers
*Debugger Users
*Guests
*HelpServicesGroup
*Network Configuration Operators
*Power Users
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.

and

C:\>net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the
compu
ter/domain

Members

-----------------------------------------------------------------------
Administrator
Dianne
AIXDOM\Domain Admins
The command completed successfully.

and again from the XP SP2 box:
C:\>net group "Domain Admins" /domain
The request will be processed at a domain controller for domain AIXDOM.

Group name     Domain Admins
Comment        Domain Unix group

Members

---------------------------------------------------------------------------
keith                    root                     steve
The command completed successfully.

Ok, so as far as I can tell, the connectivity is all the way through.

I do have a username map for Administrator to "root" (I know 3.0.14a does
not need "root", but I am trying to narrow the options for me screwing
up).

But if I log onto the XP SP2 workstation as "root" and the appropriate
password, everything seems sane.  In my mind, I should now have the same
power as the local "Administrator" user on that PC.

However, I if I browse the My Computer, I CANNOT go into any other user's
"Document and Settings" folder other than root's.  I think there is
something very very wrong here, but I cannot figure out for the life of me
what it is!  If I log in as Administrator to the local workstation, I can
access everywhere on the drive... This is driving me crazy!  I missing
some subtle piece of the puzzle... or maybe not so subtle!  lol..


Hum... one other piece of (perhaps) relevant information is that I am
running smbpasswd backend for now.  I cannot upgrade because the samba
password file has about 250 users that are not in the /etc/groups.  When I
import the smbpasswd into the tdbsam, I get lots of errors & ppl cannot
log on :-(  That will be my next thing, awk script to clean the smbpasswd
file (relative to the /etc/passwd file).

Does anyone have ANY advice?

Thanks,
Steve Williams







More information about the samba mailing list