[Samba] : Server's root name change when log-in
Thibaut Jacob
thibaut.jacob at univ-orleans.fr
Mon May 21 09:23:26 MDT 2012
On 09/05/2012 21:51, Gaiseric Vandal wrote:
> For ldap, as long as "getent passwd" shows your user and computer
> accounts, that is what really matters.
>
> Is samba is looking for users in your ldap base (e.g.
> dc=univ-orleans,dc=fr) ? If so it will see all users. However it
> will not distinguish between users in ou=people or ou =systeme. Any
> users you wish to have administrator privledges should be added to the
> "Domain Admins" group.
>
> Verify that you have a group mapping for domain admins.
>
> # net groupmap list | grep "Domain Admins"
> Domain Admins (S-1-5-21-XXX-XXX-XXX-512 ) -> Domain Admins
>
>
>
> I have a unix group in ldap called "Domain Admins" - my unix system
> allows groups with spaces in it. I don't know if yours will.
>
> Verify with
>
> net rpc group MEMBERS "Domain Admins" -U Administrator
>
>
>
>
> However, even if you are a system administrator, you should not
> normally be logged in as an admin-equivalent. Instead, you should
> only use an admin-equivalent account when you specifically need it.
>
> If you wish to allow some users to add machines to the domain but not
> give them full admin privlegdes you should be able to grant the
> SeMachineAccountPrivilege right.
>
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
>
>
>
>
> I don't understand the "admin99" issue. You have a samba user called
> "admin99", and you use that to join a Windows machine to the
> domain? Where are you opening a terminal from? What does
> "pbdedit -Lv admin99" show?
>
>
>
>
>
>
>
>
>
>
Hi back, sorry, very long week-end and other problem, but now i can answer.
It's very stragne that with the command :
$ net groupmap list | grep "Domain Admins"
i've got every group in ou=groups are in Domain admin ( don't really
know how hte previous people does this, it means that every one is a
Domain admin ? how can i change this ?
I need only that people in ou=systeme are Domain Admins.
i don't have a unix group in ldap called "Domain Admins", but there is
an ou=systeme where are all my admins. (admin99, admin41 etc ... )
I've configure libnss-ldap and libpam-ldap to configure authentification
between ldap and samba.
I reference my URI of the ldap, the DN , and choose Unix
authentication and LDAP authentication. ( with crypted md5) and i change
my /etc/nsswitch.conf from :
passwd: compat to
passwd: files ldap
group: compat
group: files ldap
shadow: compat
shadow: files ldap
did i need to change anything else ? or am i wrong ?
i've configure smb-ldap-tools and configured sabldap_bind.conf file ( dn
and password ) and smbldap.conf ( SID, sambadomain, masterldap, , did i
really need this because i don't use ( in my case smb-ldap-populate )
i think i miss something :s
i have all my users from my ldap with getent passwd
For the "admin99" issue : when i use libpam, libnss and ldap (start) ,
and i try to join the domain to a windows host, when asking login mdp i
try : admin45 and password, it says "welcome to the domain etc ..", reboot.
But in the server, if i use a new terminal, root's name change to
admin41. if i stop ldap for 5 minutes, it change to root
Where are you opening a terminal from? from the server
What does "pbdedit -Lv admin99" show? i don't have the pbdedit command
thanks
--
More information about the samba
mailing list