Hi ! I'm desperately looking for an answer here... I've been fighting all week-end with samba-3.0 and there's still something I can't do... Basically: how can I add some of my users to the Domain admin group ? I use FreeBSD-5.1+samba3.0RC3. My group maps: Admins du domaine (S-1-5-21-xxxx-512) -> domainadmins Utilisa. du domaine (S-1-5-21-xxxx-513) -> domainusers Invites du domaine (S-1-5-21-xxxx-514) -> domainguests Ordinateurs du domaine (S-1-5-21-xxxx-515) -> domaincomputers All my users sambaPrimaryGroupSID are set to 513. Now, I added some users to the "domainadmins" group (with the memberUid attribute in LDAP) but they do not get admin priviledges on NT workstations... What am I missing here ? I also added "@domainadmins" to the "user admins" parameter in smb.conf, but it does not work. Any tips would be really appreciated :) Thanks. Here is an LDIF file export of one of my users and the domainadmins group: dn: uid=ajacoutot, ou=utilisateurs, dc=dioranews,dc=com sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaPrimaryGroupSID: S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxx-513 displayName: Antoine Jacoutot sambaLogonScript: user.bat objectClass: account objectClass: posixAccount objectClass: sambaSamAccount userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaHomeDrive: Z: uid: ajacoutot uidNumber: 10000 cn: ajacoutot sambaPwdLastSet: 1063621091 sambaAcctFlags: [U ] loginShell: /bin/csh sambaProfilePath: \\TESTBOX\ajacoutot\profile gidNumber: 513 sambaPwdMustChange: 1065435491 sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaPwdCanChange: 1063621091 gecos: Antoine Jacoutot sambaSID: S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxx-21000 description: Utilisateur Dioranews homeDirectory: /exports/home/ajacoutot sambaHomePath: \\TESTBOX\ajacoutot dn: cn=domainadmins, ou=groupes, dc=dioranews,dc=com sambaSID: S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxx-512 gidNumber: 512 displayName: Admins du domaine sambaGroupType: 2 memberUid: ajacoutot objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: domainadmins
Antoine Jacoutot
2003-Sep-15 15:14 UTC
[Samba] Re: domain admin --> problem with secrets.tdb
Antoine Jacoutot wrote:> All my users sambaPrimaryGroupSID are set to 513. Now, I added some > users to the "domainadmins" group (with the memberUid attribute in LDAP) > but they do not get admin priviledges on NT workstations... > What am I missing here ? > I also added "@domainadmins" to the "user admins" parameter in smb.conf, > but it does not work.OK, I found what was causing the problem. But it is not fine :( Basically, I had some errors about samba not being able to connect to ldap because it was not root. In fact, what happened is that some samba functions didn't have the right to read secrets.tdb, so I chmod it to 644 and now everything works great... except that 644 for secrets.tdb in NOT a fine setup. I found some similar cases, googling, but all the bugzilla that were reported about it are in state FIXED... so I don't quite understand why I am seing this behaviour. Antoine