[Samba] Clarification of 'administrator' config w/ldap

Adam Williams awilliam at mdah.state.ms.us
Mon Apr 20 14:07:33 GMT 2009


run smbpasswd -a root and put in root's password.

create a unix group called ntadmins and put your username jsacksteder in 
it.  then run:

net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=ntadmins type=d

then run:

net rpc rights grant ntadmins SEMachineAccountPrivilege

and enter root's password.  now the user jsacksteder is a domain 
administrator that can join computers to the domain (And vista will 
recognize as an administrator when you install software and UAC prompts 
for a user/pass.

jeff sacksteder wrote:
> As you say, I see 'root = administrator' in smbuser, but I am still
> unable to authenticate as administrator. During the authentication
> attempt the following log entry is recorded-
>
> check_ntlm_password:  Authentication for user [administrator] ->
> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
>
>  I believe that I need to use make an entry with pdbedit linking the
> domain admin sid to root.
> However, trying that produces-
>
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
> smbldap_open_connection: connection opened
> Username not found!
>
> So what more do I need to add?
>
> On Sat, Apr 4, 2009 at 10:15 AM, Adam Williams
> <awilliam at mdah.state.ms.us> wrote:
>   
>> root is mapped to windows Administrator account in /etc/samba/smbusers.
>>  however, since samba 3.0.11 you can make anyone a domain administrator (to
>> add machine accounts, install software, etc) see
>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for
>> more info.
>>
>> jeff sacksteder wrote:
>>     
>>> I have a mostly working config with the ldap backend, at least from
>>> the standpoint of standard domain users, but I'm not sure how my
>>> Administrator user needs to be configured. The os 'root' user is in
>>> /etc/passwd and all my normal users are in the directory for unified
>>> login purposes. Is the domain 'Administrator' account supposed to
>>> correspond to 'root' in the os, 'Manager' in the directory, or a just
>>> a privileged user in the directory?
>>>
>>>       



More information about the samba mailing list