Alexander Goeres
2004-Jan-16 10:34 UTC
[Samba] creating users from w2k with usrmgr and samba 3.0.1
Hello everybody! New to Samba (and the list) I am trying to set up a Samba PDC for a small enterprise network on a Debian Woody (3.0) system with a vanilla 2.4.24 kernel and the Debian package of Samba 3.0.1 and Swat (Debian Versions 3.0.1-2). I ran into various problems and could solve most of them during the past two weeks (hooray!). Most of the problems were related to congestions of user and program permissions. For example, it was impossible to change a user's password with the NT4 usrmgr tool from the w2k client. That always gave a "permission denied". Solution was: don't use the Debian tool "/usr/sbin/ adduser" (obvioulsy a wrapper program to the standard "useradd")! Another problem was, that Swat always wipes out variables that are written like "%u". Obviously Swat deletes everything within "". Solution: don't use Swat (too bad)! One problem is left, and I don't know if it's related to M$ or to Samba. It's impossible to create a user from a w2k client with the NT4 tool usrmgr.exe. I can create a Samba user (Domain User) when such a user already exists on the Samba server as a Linux user. AFAIK the setting "add user script" in smb.conf should provide the facility to Samba to create a Linux user each time a Samba/Domain user is created. Is that a misconception? When looking at that NT4 tool usrmgr.exe, i find a menu item: Policies -> User Rights -> Show Advanced Rights: Add users to the domain: Samba Trying to give that right to the Domain Admin group is denied with the message: "You may not remove the Local Logon right from the Administrators local group. Doing so would disable .. bla bla ba". This message even appears when I just open the usrmgr and click on "OK" without having changed anything. So I have several questions and I hope that someone on the list here might be able to answer or give some hints to a solution: 1. Is it generally possible to add a completely new user to the domain through this NT4 tool usrgmr.exe? A user who didn't exist as a unix-user on the samba PDC and so didn't exist in ths Samba User database? 2. If yes (and I hope it's possible) how do I give this "Advanced Right" to add a user to the Samba Domain to the Domain-Admin group? Do I have to do this within Samba (pdbedit) or is it only possible within M$? Just some further config: M$ Administrator is Member of NT Domain Admin group, of Samba admin group and has UID 0 on the Linux system. NT Domain Admin group is mapped to the Samba admin group. That mail is a little long but I hope the length doesn't discourage too many people from reading it. Possibly someone knows answers? Even to my questions? Thank you in advance Alexander -- ------------------------------------------- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 ------------------------------------------- lieblinxNET we do software a Marwood & Thiele GbR ------------------------------------------- reichenberger stra?e 125 10999 Berlin http://lieblinx.net -------------------------------------------
John H Terpstra
2004-Jan-16 17:13 UTC
[Samba] creating users from w2k with usrmgr and samba 3.0.1
On Fri, 16 Jan 2004, Alexander Goeres wrote:> Hello everybody! > > New to Samba (and the list) I am trying to set up a Samba PDC for a small > enterprise network on a Debian Woody (3.0) system with a vanilla 2.4.24 > kernel and the Debian package of Samba 3.0.1 and Swat (Debian Versions > 3.0.1-2). > > I ran into various problems and could solve most of them during the past two > weeks (hooray!). Most of the problems were related to congestions of user andCongratualtions.> program permissions. For example, it was impossible to change a user's > password with the NT4 usrmgr tool from the w2k client. That always gave a > "permission denied". Solution was: don't use the Debian tool "/usr/sbin/ > adduser" (obvioulsy a wrapper program to the standard "useradd")! Another > problem was, that Swat always wipes out variables that are written like "%u". > Obviously Swat deletes everything within "". Solution: don't use Swat (too > bad)!You are correct. That is one of the fine features of SWAT.> > One problem is left, and I don't know if it's related to M$ or to Samba. It's > impossible to create a user from a w2k client with the NT4 tool usrmgr.exe. INot really. If your scripts (add user, add group, etc.) are correctly set up then you can use this tool to manage users and groups without problem.> can create a Samba user (Domain User) when such a user already exists on the > Samba server as a Linux user. AFAIK the setting "add user script" in smb.conf > should provide the facility to Samba to create a Linux user each time a > Samba/Domain user is created. Is that a misconception?You observation is the result of configuration problems.> > When looking at that NT4 tool usrmgr.exe, i find a menu item: > Policies -> User Rights -> Show Advanced Rights: Add users to the domain: > Samba > Trying to give that right to the Domain Admin group is denied with the > message: > "You may not remove the Local Logon right from the Administrators local group. > Doing so would disable .. bla bla ba". > This message even appears when I just open the usrmgr and click on "OK" > without having changed anything.You must be logged in a the Domain Administrator, and unfortunately I have discovered that there is no way around it, you must be logged on a the user called "root".> > So I have several questions and I hope that someone on the list here might be > able to answer or give some hints to a solution: > 1. Is it generally possible to add a completely new user to the domain through > this NT4 tool usrgmr.exe? A user who didn't exist as a unix-user on the samba > PDC and so didn't exist in ths Samba User database?Yes. It is possible. It does work.> 2. If yes (and I hope it's possible) how do I give this "Advanced Right" to > add a user to the Samba Domain to the Domain-Admin group? Do I have to do > this within Samba (pdbedit) or is it only possible within M$?You can make users a member of the Domain Admins group. At this time we do not support secondary group membership correctly. This means that only the user "root" can manage network accounts.> > Just some further config: > M$ Administrator is Member of NT Domain Admin group, of Samba admin group and > has UID 0 on the Linux system.Unfortunately, this breaks. You have to use "root". Duplicate accounts that share a UID break things badly. For example, having an account called "root" and one called "Administrator", both with UID=0, break winbind operation.> NT Domain Admin group is mapped to the Samba admin group.NT Domain Admins group needs to have GID=0.> > That mail is a little long but I hope the length doesn't discourage too many > people from reading it. Possibly someone knows answers? Even to my questions?Not at all. Thanks for sharing with us. - John T. -- John H Terpstra Email: jht@samba.org