Hi ! I'm using samba-3.0RC3 as a PDC (for testing). I'm using the ldap backend. I created 1 user, 1 computer and some groups. I mapped the unix groups domainadmins to "Domain admins" with my_personnal_sid-512. I added my user to domainadmins. I set "admin users = @domainadmins" in my smb.conf, but I still do not have domain admin rights on workstations :( Any idea about what I did wrong ? Thanks in advance. Antoine
On Thu, 11 Sep 2003, Antoine Jacoutot wrote:> Hi ! > > I'm using samba-3.0RC3 as a PDC (for testing). > I'm using the ldap backend. > I created 1 user, 1 computer and some groups. > > I mapped the unix groups domainadmins to "Domain admins" with > my_personnal_sid-512. > I added my user to domainadmins. > I set "admin users = @domainadmins" in my smb.conf, but I still do not > have domain admin rights on workstations :(That's correct. The parameter "admin users" has been deprecated from Samba-3. You need to add you user to the UNIX domadmins group, then map the UNIX domadmins group to the NT "Domain Admins" group using: net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins Then on each Windows workstation you need to make the "Samba_Domain\Domain Admins" group a member of the Local Group called "Adminsitrators" while logged on as the Workstation Administrator.> > Any idea about what I did wrong ?Hope that helps! - John T. -- John H Terpstra Email: jht@samba.org
On Thu, 11 Sep 2003, Antoine Jacoutot wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 11 September 2003 22:47, John H Terpstra wrote: > > Please explain precisely what you mean. What exact steps are you > > following? > > OK, I created 1 user, 1 computer and several groups. > One group is called domainadmins. I did a 'net groupmad add' to map it to > SID-512 (Windows Domain admins group). > My user's primarygroupID is SID-2001. > I added my user to domainadmins, which made me believe it then would be > considered as a Windows Domain administrator... but it does not work. However > it does work if instead if I set my user's primarygroupID to SID-512. > So my question is: can I have admin rights if my primarygroupID is not > domainadmins (supposing I'm part of domainadmins as I'm part of other groups > too).The NT Group, Domain Admins, must have the well known RID=512 otherwise it is not seen by the Windows client as the Domain Admins group. PS: The Domain SID + the RID = the user SID.> Is it clearer ? (I'm sorry, English is not my first language)PS: English is not my first language either. Additionally, most who claim to speak English don't either! :)> For information, I'm running FreeBSD-5.1+LDAP+samba-3.0RC3 > > Thanks.- John T. -- John H Terpstra Email: jht@samba.org