[Samba] PDC Question For Windows Clients
Barry L. Kline
blkline at attglobal.net
Sat Jul 15 07:18:55 GMT 2006
zdennis wrote:
> Domain Admins (S-1-5-21-3040749549-2843134544-1782940832-512) -> Domain Admins
> Domain Users (S-1-5-21-3040749549-2843134544-1782940832-513) -> Domain Users
> Domain Guests (S-1-5-21-3040749549-2843134544-1782940832-514) -> Domain Guests
> Domain Computers (S-1-5-21-3040749549-2843134544-1782940832-515) -> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
Hmmm...
Well, it's fine for Windows to have a group called "Domain Admins" but
you need to have Unix groups where these can be mapped.
For example, my PDC returns the following:
Domain Admins (S-1-5-21-71265413-2685657396-3953940223-512) -> root
Domain Users (S-1-5-21-71265413-2685657396-3953940223-513) -> users
Domain Guests (S-1-5-21-71265413-2685657396-3953940223-514) -> nobody
You didn't mention (or I missed) what you're using for the password
backend (e.g. smbpasswd, tdbsam or ldapsam) but you need to ensure that
you have Unix groups. In John Terpstra's excellent "Samba-3 by Example"
he uses a script to do that, with the following commands:
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
You may want to ensure that you really do have groups called "Domain
Admins", "Domain Guests" and "Domain Computers", keeping in mind that
spaces in user/group names in Unix isn't recommended.
Barry
More information about the samba
mailing list