samba - Jul 2004 - WinXP registry problems on SMB PDC

Hi all,

     I recently moved off of an ancient NT4 PDC to a SMB PDC running Samba
3.0.4-1 on a RH9 box.  I had absolutely no troubles joining the domain, and
other than a few login quirks every now and again, it is stable.

     I am, however, experiencing what I believe to be a permissions issue with
the user profiles... my own, included.  I am unable to make registry changes,
most notably with regards to Norton Antivirus.  All users are currently in a
group mapped to Domain Admins, as most of the profiles had difficulties loading
without it...  After a long weekend of profile copying, I figured that I'd
cross that bridge later.  Regedit gives me a message, "Error opening
key" while
navagating to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec.

      I'm almost certain it's a permissions problem, but I have been
unable to
locate the source of the problem.  Any help you could offer would be greatly
appreciated.

Thanks,
David A. Buechler
IT Manager,
Vision Computers, Inc.
http://www.visionman.com

Group Mappings:

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-2725352828-4089093468-4083013522-513) -> users
Power Users (S-1-5-32-547) -> power
Domain Power Users (S-1-5-21-2725352828-4089093468-4083013522-515) -> power
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> localadmins
Account Operators (S-1-5-32-548) -> -1
Domain Admins (S-1-5-21-2725352828-4089093468-4083013522-512) -> domainadmins
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-2725352828-4089093468-4083013522-514) -> nobody


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Have you checked to see what your effective permissions are on the workstation.
A good way to do this is with the M$ ISMember utility with the /list option. I
ran into issues making group mapping work
properly.

I ended up greating four groups in /etc/group which would cover what permissions
I want users to have when they log into Windows within the Windows OS. Then
created four groups in Samba and mapped
between those Samba groups and the groups I had created in /etc/group. I kept
them the same name in both places for sanity. I also limited them to 8 chars
max.

Finally I did net localgroup commands on the workstations, removing the two that
get added when you join the domain - local administrators to domain admins, and
local users to domain users... as
domain and local permissions are different in my book and one should not assume
a 1:1 relationship there. Anyway, added my four new domain groups to the four
main local groups (Admin, Power User,
User, Guest) and baddabing-baddaboom I can manage local Windows permissions from
/etc/group.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

Hi David,
>      I recently moved off of an ancient NT4 PDC to a SMB PDC 
> running Samba 3.0.4-1 on a RH9 box.  I had absolutely no 
> troubles joining the domain, and other than a few login 
> quirks every now and again, it is stable.
> 
>      I am, however, experiencing what I believe to be a 
> permissions issue with the user profiles... my own, included. 
>  I am unable to make registry changes, most notably with 
> regards to Norton Antivirus.  All users are currently in a 
> group mapped to Domain Admins, as most of the profiles had 
> difficulties loading without it...  After a long weekend of 
> profile copying, I figured that I'd cross that bridge later.  
> Regedit gives me a message, "Error opening key" while 
> navagating to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec.
> 
>       I'm almost certain it's a permissions problem, but I 
> have been unable to locate the source of the problem.  Any 
> help you could offer would be greatly appreciated.
I have had a client who recently installed Symantec NAV 2004 on machines
running XP sp1a, the samba PDC is 3.0.4-2 on Debian unstable.  (Not that
I think samba is the issue here)
The 2004 live-updates eventually killed the machines to point to where
they needed to be reinstalled (less work to do it that way anyway).  NAV
would repeatedly complain of corrupt registry and ask for the product to
be re-installed.  In the building I work in, Symantec have an their
local state office on the top floor.  I overheard a conversation in the
lift, in the week following the initial release of 2004, words
describing in effect what eventually happened at my clients site.
No doubt my clients no longer have NAV 2004.  And BTW I had advised them
against installing NAV 2004, but somehow they missed it.
2003 was no issue...
I suspect this may where your problems are coming from.

Cheers,

Lewis Shobbrook