samba - Mar 2006 - Checking effective group membership - Linux side

First off, on the Windows side I use "ifmember.exe /list" to check the
group membership in affect for the currently logged in domain user, works like a
charm.

However, Linux side is another story, specifically the net command.

We have, among others, the following mapping in place:
net groupmap modify ntgroup="Domain Admins"  unixgroup=domadmin

Based on this documentation:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
in the second "Note:" box...

 >>
You must be connected as a member of the Domain Admins group to be able to grant
or revoke privileges assigned to an account. This capability is inherent to the
Domain Admins group and is not
configurable. There are no default rights and privileges, except the ability for
a member of the Domain Admins group to assign them. This means that all
administrative rights and privileges (other
than the ability to assign them) must be explicitly assigned, even for the
Domain Admins group.
<<

So, after the groupmap command has been run, effectivly anyone in the unixgroup
domadmin should be considered "Domain Admins" by Samba commands.

Further, it would be my expectation that the ability to run "net rpc rights
grant" has also been extended to members of unixgroup domadmin due the
group map.

However, this does not seem to be happening as of recent Samba builds. Running
this command

net rpc rights grant mydomain\\myaccount SeMachineAccountPrivilege

does not execute consistently. Notice I do not spec an ID/pw, assumed is the
account I logged in to Linux with over SSH (putty). If I go to the extreme (in
the case that the command fails) to add root
as a user via smbpasswd, specify root as the user on that command, THEN the
thing works.

In general, I have a feeling like Samba is not totally happy with either looking
up groups in /etc/group or does not like the groupmap linkage... just not sure
how to debug it. Logging in to Windows
with the accound in question, "ifmember.exe /list" returns exactly the
group membership I would expect to see, never an inconsistency with this.

<><><><><>

Furhter, trying to grant rights to a unixgroup name always fails. Granting
rights to user accounts works as expected, just not on a consistent basis.

Thus, I get the hint something is not quite 100% when on the Linux side about
groups in /etc/group.

aaaahhhh.... I looked at Mr. Terpstra's example a bit further... even though
for smb.conf I use "printer admin = @domadmin" (which is the unix name
for the group) it seems I use the Samba group name,
not the unix group name to grant the equiv permissions. oy oy oy!!! And for me,
via putty, I had to use double quotes around the group name, single ticks did
not succeed. Thus:

net rpc rights grant "mydomain\\Domain Admins"
SePrintOperatorPrivilege

Anyway, time for "one more test Samba server" and interested to work
out why accounts other than root are sometimes not able to grant rights.

-- 
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

Remove the upper case letters NOSPAM to contact me directly.