samba - Apr 2003 - Samba PDC/LDAP how to get Win2000 Administrator account?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Date: Wed, 30 Apr 2003 16:33:16 +1000
> From: Lance Rathbone <l.rathbone@imb.uq.edu.au>
> To: samba@lists.samba.org
> Subject: [Samba] Samba PDC/LDAP how to get Win2000 Administrator account?
> Message-ID: <p05100303bad51ce40e4a@[130.102.118.14]>
> In-Reply-To: <Pine.LNX.4.50.0304300325590.25098-100000@dp.samba.org>
> References: <000901c30ea7$53458c60$1000a8c0@qsi2.com>
>  <Pine.LNX.4.50.0304300011140.25098-100000@dp.samba.org>
>  <002d01c30ec6$50ac79e0$1000a8c0@qsi2.com>
>  <Pine.LNX.4.50.0304300325590.25098-100000@dp.samba.org>
> Content-Type: text/plain; charset="us-ascii" ;
format="flowed"
> MIME-Version: 1.0
> Precedence: list
> Message: 7
>
> I have set up samba/PDC /LDAP and am able to logon as a normal user,
> however I am not sure how to create an LDAP user that has
> Administrator privileges on a Windows 2000 PC.
>
You need to have a unix group, to which you map a windows group. Which
tool you use depends on which release of samba3 you are using. Up to
alpha23 used smbgroupedit. And IIRC it only works with LDAP in alpha23
or later. See the man page for details, but basically:

1) find the SID of the windows group:
# smbgroupedit -s
2)Create a unix group for that
# groupadd domadm
3)map the SID to the unix group:
# smbgroupedit -c <SID> -u <unix group>
4)Add unix users to the unix group, and they should be domain admins
> The Samba/LDAP howtos and guides don't seem to cover this topic much.
> If anyone could let me know what I need to do to have administrative
> privileges on a Win2000 machine I'd greatly appreciate it.
This is the stuff I have not got to yet in
http://ranger.dnsalias.com/samba-ldap-advanced.html . Contributions
welcome, otherwise I will try and finish that bit of it tomorrow.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQE+r9KurJK6UGDSBKcRAgjuAKCTwtTWTcXQCd3m5XuvB13wY44kBQCUCJb1
jp+Fv+j9GhtTIAV/zVdzzQ==BMQm
-----END PGP SIGNATURE-----

Buchan,

Just want to give you a heads-up that the smbgroupedit commands has been
deprecated. This functionality has now been added to the 'net groupmap'
command in samba-3.0.0 CVS tree.

You are most likely already aware of this and are correct in the current
advice. My purpose is to counter any notion that our users may aquire
regarding the smbgroupedit command - so for the record - smbgroupedit is
gone! It lived only in a few alphas.

- John T.

On Wed, 30 Apr 2003, Buchan Milne wrote:
> 1) find the SID of the windows group:
> # smbgroupedit -s
> 2)Create a unix group for that
> # groupadd domadm
> 3)map the SID to the unix group:
> # smbgroupedit -c <SID> -u <unix group>
> 4)Add unix users to the unix group, and they should be domain admins
-- 
John H Terpstra
Email: jht@samba.org