[Samba] Local Administrator access

Knut Olav Bøhmer bohmer at gmail.com
Tue Nov 27 03:46:47 MST 2012


Hi,

I'm sorry about last mail. It was incompleate.
It was not me who installed the machine. And from what I can see, there was
not created any local users.

So when I installed a new samba domain controller I was not able to log in
to that computer.

So I took the old SID and put in in to a new (temporary, on my laptop)
samba server, and copied the old machine account password.
Then I was able to log inn. But the user I created on the samba server does
not have local administration rights on the windows client.

And now, when composing this email, gathering information about my setup
(and a good nights sleep), I discover that the user I used to access the
computer was set to another domain. I found this out by pdbedit -Lv knobo

Thank you for the help :) Without you I would not have figured out ;)
(maybe)

Best regards
Knut Olav Bøhmer

2012/11/26 Gaiseric Vandal <gaiseric.vandal at gmail.com>

> Have you tried logging into the PC using the samba domain administrator
> account?
>
> Assuming the PC was properly joined to the domain then you should be able
> to configure the local accounts and groups.
>
> You can create domain group that is then a member of the PC's local
> administrator group.  This will allow you do defined samba users who are PC
> administrators but NOT domain administrators.
>
> Whomever joins a PC to a domain needs to be both a local administrator on
> that computer and (in most cases) have domain administrator credentials.
>  (If the machine account was created in advance then the domain
> administrator credentials should not be needed.)
>
> Are you sure the PC was joined to the domain?
>
>
>
> On 11/26/12 10:51, Knut Olav Bøhmer wrote:
>
>> 2012/11/26 Gaiseric Vandal <gaiseric.vandal at gmail.com <mailto:
>> gaiseric.vandal at gmail.**com <gaiseric.vandal at gmail.com>>>
>>
>>
>>     With Windows7, the 1st account you create  during the initial
>>     setup is typically a member of the local admin group.  The actual
>>     "Administrator" account is normally disabled.  Did this 1st
>>     account get deleted?
>>
>>
>> I did not install the computer. How can I find out if there is such a
>> user? But, I don't have the password anyway.
>>
>>     When you joined the domain, the Domain Admin's groups should have
>>     been added to the local Admin group.
>>
>>
>> Ok, so the trick is to get my user a member of the "Domain Admins" group.
>>
>>     This can get messed up if your group mappings are not set up
>>     correctly.
>>
>>     Also, I think when running the "net" command you may want to use
>>     "-U Administrator" to use the credentials of your domain
>>     Administrator account  (assuming one has been defined.)  In my
>>     setup the unix root does not have a samba account.
>>
>>
>>
>>
>>
>>     On 11/26/12 10:03, Knut Olav Bøhmer wrote:
>>
>>         Hi,
>>
>>         I have a windows 7 machine withouth local administrator account.
>>         I need to create such an account. I can log in to the machine
>>         with a user
>>         on my samba domain.
>>
>>         What do I need to do in order to get administrator access, or
>>         access to
>>         create an local administrator account?
>>
>>         I have tried to do this:
>>
>>         [root at float samba]# net rpc group addmem "Administrators"
>>         'DOMAIN\username'
>>         Enter root's password:
>>         Could not add SKOLELINUX\knobo to Administrators:
>>         NT_STATUS_NO_SUCH_ALIAS
>>
>>         I have tried to give some rights this way:
>>
>>         net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
>>         SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
>>         SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
>>         SePrintOperatorPrivilege SeCreateGlobalPrivilege
>>         SeEnableDelegationPrivilege  SeUndockPrivilege
>>          SeTakeOwnershipPrivilege
>>
>>         And it does what I tell it:
>>         [root at float samba]# net rpc rights list knobo
>>         Enter root's password:
>>         SeMachineAccountPrivilege
>>         SeTakeOwnershipPrivilege
>>         SeRemoteShutdownPrivilege
>>         SePrintOperatorPrivilege
>>         SeAddUsersPrivilege
>>         SeDiskOperatorPrivilege
>>         SeSecurityPrivilege
>>         SeSystemProfilePrivilege
>>         SeUndockPrivilege
>>         SeImpersonatePrivilege
>>         SeCreateGlobalPrivilege
>>         SeEnableDelegationPrivilege
>>
>>
>>         But I'm still promptet for username and password, when I try
>>         to access the
>>         user accounts in windows 7.
>>
>>         Any suggestions?
>>
>>
>>         Regards
>>
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>>
>> --
>> Knut Olav Bøhmer
>> 41 000 108
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>



-- 
Knut Olav Bøhmer
41 000 108


More information about the samba mailing list