[Samba] samba group rights problem (Domain Admins not working)
kissg
mail.gery at gmail.com
Wed Jul 23 08:39:48 GMT 2008
By the way, it can be a bug in the new version of OpenLDAP, or a permission
problem (Samba is unable to read a required attribute etc.).
Check the OpenLDAP list, or post a bugreport, if you haven't already done
so.
2008/7/23 Jeroen Vriesman <linuxificator at gmail.com>:
> Thanks for the reply,
>
> I did check that, I should have posted that in the original mail.
>
> The group ends with -512, and, has gid 512, my 'administrator' account is
> called root, but this is about the members of the 'Domain Admins" group, the
> group maps to 'Domain Admins' (I use pam/nssldap config, where 'getent
> group' shows all the ldap groups as local groups, so the map is ok by
> default).
>
> Before the ldap upgrade it worked, and the ldap data is exactly the same.
>
> So I'm a bit lost, I do have the schema with sambaSID SUB and a sub index
> on sambaSID, the schema's are also the same as in the old situation.
>
> cheers,
> Jeroen.
>
>
>
> On Tue, Jul 22, 2008 at 8:02 PM, kissg <mail.gery at gmail.com> wrote:
>
>> Check the GID of your Domain Admins group. It should end with "512" and
>> should be mapped to a UNIX group which have a GID of the same value. If it's
>> anything else, that can be a reason why your admin users actually don't have
>> administrator rights on the client machines.
>>
>> Run the following command to see how your group mappings look like:
>>
>> net groupmap list
>>
>> You should see the number 512 at the end of the Domain Admins SID.
>>
>> After you have verified, that your Domain Admins group has the appropriate
>> SID, check the UID and GID of an administrative user, for example:
>>
>> id administrator
>>
>> You should see "gid=512" in the output of the command.
>>
>> Regards
>> Gergely Kiss
>>
>> 2008/7/22 Jeroen Vriesman <linuxificator at gmail.com>:
>>
>>> Hi list,
>>>
>>> after upgrading our ldap server, the Domain Admins group doesn't work
>>> anymore.
>>>
>>> Members of the domain admins group don't have any special rights on the
>>> workstations (for example, they cannot even change the date of a machine
>>> in
>>> the
>>> domain anymore).
>>>
>>> When I lookup the group members I get:
>>>
>>> root at hermes:/etc/samba# net rpc group members 'Domain Admins'
>>> Password:
>>> HIVOS.NL\root
>>> HIVOS.NL\foctaaf
>>> HIVOS.NL\lhilarides
>>> HIVOS.NL\administrator
>>> HIVOS.NL\executor
>>> HIVOS.NL\fbodijn
>>> HIVOS.NL\psomer
>>> HIVOS.NL\jvriesman
>>>
>>> And the rights of the group:
>>> root at hermes:/etc/samba# net rpc rights list 'Domain Admins'
>>> Password:
>>> SeMachineAccountPrivilege
>>> SeRemoteShutdownPrivilege
>>> SePrintOperatorPrivilege
>>> SeAddUsersPrivilege
>>> SeDiskOperatorPrivilege
>>>
>>> That seems ok, but when I lookup the rights of a member of the Domain
>>> Admins
>>> group:
>>>
>>> root at hermes:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman'
>>> Password:
>>> SeAddUsersPrivilege
>>>
>>> root at hermes:/etc/samba# net rpc rights list 'HIVOS.NL\psomer'
>>> Password:
>>> <nothing here>
>>>
>>> Any idea why members of the Domain Admin group do not get the rights of
>>> the
>>> group?
>>>
>>> cheers,
>>> Jeroen.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>
More information about the samba
mailing list