[Samba] Samba groups membership

Jason Voorhees jvoorhees1 at gmail.com
Wed Jun 30 12:41:10 MDT 2010


Hi all:

I was running Samba 3.0.x (from CentOS 5 repository) integrated with
OpenLDAP as a complete PDC solution that worked fine for several
moths. As we needed to join Win7 computers to the domain I upgraded to
Samba 3.5.3 keeping my Samba configuration the same.

We find that after this upgrade the root account of the domain wasn't
able to access to C$, D$ or other administrative resources of Windows
Machines. After looking for a solution I found some issues that I'm
not really sure if they appeared as a consequence of the upgrade. I
found this:

# net groupmap list     .... returns this:

users (S-1-5-21-895592719-3520082440-1574223224-2001) -> jpp
Account Operators (S-1-5-32-548) -> Account Operators
Administrators (S-1-5-32-544) -> Administrators
Backup Operators (S-1-5-32-551) -> Backup Operators
Domain Admins (S-1-5-21-895592719-3520082440-1574223224-512) -> Domain Admins

... among other groups

# smbldap-groupshow "Domain Admins"   ... returns this:

dn: cn=Domain Admins,ou=groups,dc=mintra,dc=gob,dc=pe
cn: Domain Admins
gidNumber: 512
description: Netbios Domain Administrators
displayName: Domain Admins
objectClass: posixGroup,sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-895592719-3520082440-1574223224-512
memberUid: mescalante,jhuarancca,kaguilar,olmontero,ycabezas,arojas,secretaria_tecnica,graymundo,dpenadillo,jbarreda,lquevedo,hurquizo,mnicho,root

... so I can see that root is member of this "Domain Admins" group, but...


# net rpc group members "Domain Admins" ... returns nothing! The same
happens when querying other Samba groups.

I don't know why this command doesn't return the list of members of
this group. Well, I just tried to add a user manually:

# net rpc group addmem "Domain Admins" someuser -U root  .... and return this:

Could not add someuser to Domain Admins: NT_STATUS_ACCESS_DENIED

Does anybody know why can't add a user to the group? Why Samba net
utility isn't showing the list of members of my groups? I know that
the "Domain Admins" group determines who can take control of machines
joined to the Domain, but after the upgrade to Samba 3.5.x the list of
members isn't working correctly.

I would appreciate some help regarding this. I don't know if I need to
add some extra configuration to smb.conf. I hope someone can help me.

Thanks

P.D.: Sorry, my english isn't too good


More information about the samba mailing list