[Samba] samba group rights problem (Domain Admins not working)

Stefan Dengscherz stefan.dengscherz at gmail.com
Thu Jul 24 06:27:35 GMT 2008 

Hello Jeroen,


I just had the same problem you described. The cause of it was, that
the LDAP configuration on my new os (Ubuntu 8.04) included an option
to ignore the root user from LDAP:

nss_initgroups_ignoreusers
backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,mysql,news,openldap,proxy,sshd,statd,sync,sys,syslog,uucp,www-data

in /etc/ldap.conf. I can't remember if it was the stock config file or
if I added it following some howto. However the root user on the
server side was not a member of the 'Domain Admins' group because the
data came from /etc/passwd. I removed root from the ignore list and it
worked.

Just check on your PDC, if the root user is really a member of the
'Domain Admins' group with 'id root' - if not - there's your problem.


Kind regards,

-sd

2008/7/18 Jeroen Vriesman <linuxificator at gmail.com>:
> Hi list,
>
> after upgrading our ldap server, the Domain Admins group doesn't work
> anymore.
>
> Members of the domain admins group don't have any special rights on the
> workstations (for example, they cannot even change the date of a machine in
> the
> domain anymore).
>
> When I lookup the group members I get:
>
> root at hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc group members 'Domain Admins'
> Password:
> HIVOS.NL\root
> HIVOS.NL\foctaaf
> HIVOS.NL\lhilarides
> HIVOS.NL\administrator
> HIVOS.NL\executor
> HIVOS.NL\fbodijn
> HIVOS.NL\psomer
> HIVOS.NL\jvriesman
>
> And the rights of the group:
> root at hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'Domain Admins'
> Password:
> SeMachineAccountPrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
> That seems ok, but when I lookup the rights of a member of the Domain Admins
> group:
>
> root at hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'HIVOS.NL\jvriesman'
> Password:
> SeAddUsersPrivilege
>
> root at hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'HIVOS.NL\psomer'
> Password:
> <nothing here>
>
> Any idea why members of the Domain Admin group do not get the rights of the
> group?
>
> cheers,
> Jeroen.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list