[Samba] No Admin-Rights in SMB-PDC-Domain

Daniel Spannbauer ds at marco.de
Wed Sep 23 04:33:24 MDT 2009 


Daniel Spannbauer schrieb:
> Hello,
> 
> I've build a domain with Samba 3.0.23 and sucessfully joined this domain 
> with a Windows-XP-Machine. I can log in to that machine as User "Root", 
> wich is in the Group "Domain Admins" (rid=512). But I have no 
> admin-rights on that machine.
> Also, normal User can not log in over the Remotesession (RDP).
> 
> Can anybody help me to figure out why?
> 
> Here is my smb.conf:
> 
> 
> 
> [global]
>         server string = b-login
>         workgroup = marco
>         ; speed optimierungen
>         socket options = TCP_NODELAY
>         share modes = no
>         debug level = 10
>         debug uid = yes
>         getwd cache = yes
> ;       read size = 65536
>         preserve case = yes
>         log level = 10
> 
>         printer admin = ds
>         domain logons = yes
>         domain master = yes
>         local master = Yes
>         preferred master = Yes
>         ldap admin dn = cn=Administrator,dc=marco,dc=de
>         ldap delete dn = No
>         ldap group suffix = ou=group
>         ldap ssl = off
>         ldap suffix = dc=marco,dc=de
>         ldap user suffix = ou=people
>         ldap machine suffix = ou=Computers
>         ldap idmap suffix = ou=idmap
> ;       ldap passwd sync = yes
>         logon path = \\%L\%U\.ntprofile
>         logon home = \\%L\%U\.ntprofile
>         logon drive = H:
>         passdb backend = ldapsam:"ldap://10.3.1.3"
>         security = user
>         add machine script = /usr/sbin/useradd  -c Machine -d 
> /var/lib/nobody -s /bin/false %m$
>         printing = cups
>         printcap name = cups
>         printcap cache time = 750
>         cups options =
>         smb ports = 139
>         local master = no
>         kernel oplocks = No
> 
>         ; ----- same as "umask 2"
>         create mask = 0775
>         ; ----- disconnect after N minutes inactive
>         dead time = 300
>         ; ----- check whether clients are alive [seconds]
>         keep alive = 300
>         ; ----- may delete readonly files
>         delete readonly = yes
>         ; ----- logfiles grow up to N kByte
> ;       max log size = 100
>         ; ----- don't map archive bit to execute bit
>         map archive = no
>         ; ----- "umask 2" setting for files and directories
>         create mask = 0775
>         directory mask = 0775
>         ; ----- WINS support
>         ; note: on SuSE 8samba is patched so that
>         ;   if (wins server == localhost)
>         ;       wins support = yes
>         ;       preferred master = yes
>         ;       os level >= 32
>         ;
> 
>         wins server = gate
> 
>         name resolve order = wins host bcast
> 
>         security = user
> 
>         netbios aliases = homedirs


Hmmm, when I log in on the Workstation as Administrator (which is mapped 
to User root) then I get a Groupsid which ends to 513, so I get as 
Administrator the Rights of the normals Domain USer. But in LDAP the 
PrimaryGroupSid for root is set to 512 (DomainAdmins).
In the Group-Entry for the Group of the DomainAdmins root is also in 
MemberUID.

Can anybody tell me why the PrimaryGropSid isn't used by samba?


Regards

Daniel






> 
> 
> Regards
> 
> Daniel
> 

-- 
Daniel Spannbauer                         Software Entwicklung
marco Systemanalyse und Entwicklung GmbH  Tel   +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen   Mobil +49 171 4033220
http://www.marco.de/                      Email ds at marco.de
Geschäftsführer Martin Reuter             HRB 171775 Amtsgericht München

More information about the samba mailing list