Hello,
i am actually working on samba 3.0rc2 (with OpenLDAP) and i have problems
joigning a workstation to the domain.
With samba 2.2, a user could be in the NT "Domain Admins" group if he
was a
member of the unix group that has a gid=512.
This user could then join any windows workstation with his account.
How can we do this now with samba 3.0 ?
When i tried to create a mapping group with the following command
$ net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
i can see that modifications are ok (modifications are done in the directory)
:> [root@gslinux5 samba]# net groupmap list
> Domain Admins (S-1-5-21-2164124757-1843210704-924125028-3001) -> ntadmin
but any member of the "ntadmin" group can't make a workstation
joigning the
+domain;
only a user that has an uid=0 can (or a user called root).
Is this a feature or not ? Does this is planed to be modified or not ?
I have the same question for printer administrators. I map the unix group
printadm as this:
$ net groupmap add ntgroup="Print Operators" unixgroup=printadm
$ net groupmap list> Domain Admins (S-1-5-21-1332624008-131130509-4129472247-3001) -> admin1
> Domain Admins (S-1-5-21-1332624008-131130509-4129472247-2025) -> admin2
> Print Operators (S-1-5-21-1332624008-131130509-4129472247-3003) ->
printadm
and add the directive in smb.conf:> printer admin = @printadm
but any member member of the unix group printadm can't add a samba printer.
Did i forgot something ?
btw, do we need to have a sambaSID for the ntadmin group to end with
"-512", or
is does not matter (i suppose that it does not matter, but i prefer to be sur) ?
Thanks for any precisions.
--
J?r?me