OK, I think I'm close to having my Samba server working like I want it
as an AD member of our Windows AD (lab configuration at this time). Just
have a few questions about getting the member server to do what I want,
specifically, getting local groups to work. From what I've read I think
this should be possible but not sure...I would like to have a local
group on the Samba server called "DesktopSupport" and, then be able
to
add groups from the AD domain to this group. Basically, the Samba server
groups "DesktopSupport" would contain AD groups
"ClaimsDesktop",
"StaffDesktop", HRDesktop etc.
Running FC6 with the latest Samba 3.0.24. Join to the domain is successful.
Not much in smb.conf but I'm trying to use a minimum amount of entries
to make troubleshooting easier. getent group/password seems to work fine
showing both BUILTIN groups and all domain groups and users from the AD
domain.
[global]
workgroup = MISSING
realm = MISSING.LOCAL
netbios name = samba01
preferred master = no
server string = AD Samba Test
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
idmap uid = 10000-200000
idmap gid = 10000-200000
[images]
comment = Desktop Image Storage
path = /images
read only = no
public = yes
MISSING\domain computers:x:10002:
MISSING\domain controllers:x:10003:
MISSING\schema admins:x:10004:MISSING\administrator
MISSING\enterprise admins:x:10005:MISSING\administrator
MISSING\domain admins:x:10006:MISSING\administrator
MISSING\domain users:x:10007:
MISSING\domain guests:x:10008:
MISSING\group policy creator owners:x:10009:MISSING\administrator
MISSING\dnsupdateproxy:x:10010:
MISSING\desktoptest:x:10011:MISSING\techuser01
BUILTIN\administrators:x:10000:MISSING\administrator
BUILTIN\users:x:10001:
So after saying all of that, I'm having trouble creating a local group,
local to the samba server. I'm getting the following error.
[root@samba01 samba]# net rpc group add "DesktopSupport" -L
-UAdministrator
Password:
add alias failed: NT_STATUS_ACCESS_DENIED
From what I can tell, The "MISSING\Domain Admins" group is a member
of
the Samba group, "BUILTIN\Administrators" and that group appears to
have
all privs assigned to it. But I'm not sure at this point if I need to
configure any groupmaps or local users on the Samba erver even though
I'm using AD authentication. I'm pretty much stumped here but I have a
feeling I'm missing something obvious.
I am able to connect to the share and add files/directories and apply
ACLs to them from a Windows box so the important part appears to be
working fine. I don't HAVE to have the local groups but if it's possible
to use them, it would make administration easier.
Any advice is appreciated.
Mark
Gerald (Jerry) Carter
2007-Mar-02 13:48 UTC
[Samba] Problem with local groups as AD member
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark wrote:> So after saying all of that, I'm having trouble creating a local group, > local to the samba server. I'm getting the following error. > > [root@samba01 samba]# net rpc group add "DesktopSupport" -L -UAdministrator > Password: > add alias failed: NT_STATUS_ACCESS_DENIEDSee 'net sam' in Samba 3.0.23 and later. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFF6CsIIR7qMdg1EfYRArBHAKDvm53GpG7chlVUo3uypblt9C4xkwCWO3hI XVRlLEfMIVdTlcxnCVrcVQ==hrZP -----END PGP SIGNATURE-----