[Samba] samba group rights problem (Domain Admins not working)

kissg mail.gery at gmail.com
Wed Jul 23 08:36:25 GMT 2008 

Could you please post your config files (/etc/samba/smb.conf,
/etc/ldap.conf, /etc/ldap/slapd.conf, /etc/smbldap-tools/smbldap.conf,
smbldap_bind.conf)?
Try to set "loglevel 256" in slapd.conf and "log level = 10" in smb.conf,
and check messages in syslog while logging in as an administrative user.
There should be at least one error message in the log, which will tell you
what causes this strange problem.

2008/7/23 Jeroen Vriesman <linuxificator at gmail.com>:

> Thanks for the reply,
>
> I did check that, I should have posted that in the original mail.
>
> The group ends with -512, and, has gid 512, my 'administrator' account is
> called root, but this is about the members of the 'Domain Admins" group, the
> group maps to 'Domain Admins' (I use pam/nssldap config, where 'getent
> group' shows all the ldap groups as local groups, so the map is ok by
> default).
>
> Before the ldap upgrade it worked, and the ldap data is exactly the same.
>
> So I'm a bit lost, I do have the schema with sambaSID SUB and a sub index
> on sambaSID, the schema's are also the same as in the old situation.
>
> cheers,
> Jeroen.
>
>
>
> On Tue, Jul 22, 2008 at 8:02 PM, kissg <mail.gery at gmail.com> wrote:
>
>> Check the GID of your Domain Admins group. It should end with "512" and
>> should be mapped to a UNIX group which have a GID of the same value. If it's
>> anything else, that can be a reason why your admin users actually don't have
>> administrator rights on the client machines.
>>
>> Run the following command to see how your group mappings look like:
>>
>> net groupmap list
>>
>> You should see the number 512 at the end of the Domain Admins SID.
>>
>> After you have verified, that your Domain Admins group has the appropriate
>> SID, check the UID and GID of an administrative user, for example:
>>
>> id administrator
>>
>> You should see "gid=512" in the output of the command.
>>
>> Regards
>> Gergely Kiss
>>
>> 2008/7/22 Jeroen Vriesman <linuxificator at gmail.com>:
>>
>>> Hi list,
>>>
>>> after upgrading our ldap server, the Domain Admins group doesn't work
>>> anymore.
>>>
>>> Members of the domain admins group don't have any special rights on the
>>> workstations (for example, they cannot even change the date of a machine
>>> in
>>> the
>>> domain anymore).
>>>
>>> When I lookup the group members I get:
>>>
>>> root at hermes:/etc/samba# net rpc group members 'Domain Admins'
>>> Password:
>>> HIVOS.NL\root
>>> HIVOS.NL\foctaaf
>>> HIVOS.NL\lhilarides
>>> HIVOS.NL\administrator
>>> HIVOS.NL\executor
>>> HIVOS.NL\fbodijn
>>> HIVOS.NL\psomer
>>> HIVOS.NL\jvriesman
>>>
>>> And the rights of the group:
>>> root at hermes:/etc/samba# net rpc rights list 'Domain Admins'
>>> Password:
>>> SeMachineAccountPrivilege
>>> SeRemoteShutdownPrivilege
>>> SePrintOperatorPrivilege
>>> SeAddUsersPrivilege
>>> SeDiskOperatorPrivilege
>>>
>>> That seems ok, but when I lookup the rights of a member of the Domain
>>> Admins
>>> group:
>>>
>>> root at hermes:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman'
>>> Password:
>>> SeAddUsersPrivilege
>>>
>>> root at hermes:/etc/samba# net rpc rights list 'HIVOS.NL\psomer'
>>> Password:
>>> <nothing here>
>>>
>>> Any idea why members of the Domain Admin group do not get the rights of
>>> the
>>> group?
>>>
>>> cheers,
>>> Jeroen.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>

More information about the samba mailing list