[Samba] Few questions on configuring Samba as a PDC

Sat Sep 27 03:57:11 GMT 2008

On Friday 26 September 2008 14:34:31 Jesse Stone wrote:
> Hi David,
>
> I'm not sure about your response but I research it shortly.
>
> In regards to John's response, I did change it slightly (I am trying to not
> use room)
> net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins
> net groupmap add ntgroup="Domain Users" unixgroup=domainusers
> net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
> I have then added two people into the domainadmins group (which I created)
> and 1 person into the domainusers group.  The users on the domainadmins
> group can connect to the domain (if I use the root user to add them which I
> want to change) but they cannot save their profiles.
>
> I belive this is due to the permissions on the folders:
> rwxrwxr-x 2 root domainusers 4096 2008-09-25 12:43 netlogon
> drwxrwxr-x 3 root domainusers 4096 2008-09-26 01:40 profiles
>
> I could see how it would work if I kept things as they are as domain admins
> would be in the root group and would have access to the folder but since I
> am tryig to not use the root group I am at a loss how to set the
> permissions on these folders.
>
> I haven't been able to try the user that is in the domainusers group as
> that use runs Kubuntu and I'm not sure how to add a Linux machine onto the
> domain.
>
> Thanks for both your responses!  Again, the main goal is to setup a PDC
> with roaming profiles without the use of the root account or root group.
>
> -Jesse
>
> On Fri, Sep 26, 2008 at 11:18 AM, David Markey <admin at dmarkey.com> wrote:
> > net rpc rights grant <username> SeMachineAccountPrivilege
> >
> >   On Fri, Sep 26, 2008 at 7:11 PM, John Drescher 
<drescherjm at gmail.com>wrote:
> >>   On Fri, Sep 26, 2008 at 1:59 PM, Jesse Stone <jstone1999 at gmail.com>
> >>
> >> wrote:
> >> > Please don't flame me.  I did attempt to search before posting this
> >>
> >> question
> >>
> >> > (through Gmail), if there's a better way, please let me know!
> >> >
> >> > I followed this article for implementing a Samba PDC:
> >> > http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4
> >> >
> >> > Question 1)  The only accout that appears to be able to add an account
> >>
> >> onto
> >>
> >> > the domain is the root account.  There must be a way to change that to
> >> > a standard account.  I'm using Ubuntu and do not use the root account
> >> > for anything.
> >> >
> >> > I've tried changing "root = Administrator" in /etc/samba/smbusers to
> >> > "otheruser = Administrator" but that doesn't seem to do it.
> >>
> >> Did you do this:
> >> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> >> net groupmap modify ntgroup="Domain Users" unixgroup=users
> >> net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup
> >>
> >> And assign users to the Domain Admins group?
> >>
> >> John
> >>  --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/listinfo/samba

Please refer to chapter 15 of the Samba3-HOWTO available from:

http://www.samba.org/samba/docs/Samba3-HOWTO.pdf

Any user can be granted the right to add users, add machines, or any other 
privilege from a Windows client using the "net rpc rights grant" toolset.

Cheers,
John T.
-- 
John H Terpstra

"Don't do as I do; Show me better!" - Anonymous.