samba - Jul 2004 - domain admin issue

I have a new Debian testing machine running the Debian Samba 3.0.5.
Everything seems OK except that I cannot get users to have domain admin
rights.  I have Windows XP workstations. The workstations join and log
onto the domain fine.

A "net groupmap list" yields:

server:/home/tnolen# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> domadm
Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

My user, for example, is in the domadm group:
server:/home/tnolen# groups tnolen
tnolen : users domadm

I have tried several combinations of group mappings but all yield the
same result. Basically, the user is just a regular user.

When the workstations join the domain, the Domain Admins group DOES get
added to the local Administrators group as it should.
I've checked Debian's website to see if this is a known bug with their
version of Samba, but there is no mention of it.

Relevant parts of smb.conf:
[global]
        workgroup = SRB
        server string = %h server
        interfaces = 192.168.1.254/24
        bind interfaces only = Yes
        passdb backend = smbpasswd, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        unix password sync = Yes
        syslog = 0
        max log size = 1000
        name resolve order = wins lmhosts host bcast
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
        add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
        add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
        logon script = startup.bat
        logon path         logon home         domain logons = Yes
        os level = 60
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        hosts allow = 192.168.1.
        use client driver = Yes

[netlogon]
        path = /etc/samba/netlogon
        browseable = No

[shared]
        comment = Shared files
        path = /home/shared
        read only = No
        force create mode = 0777
        force directory mode = 0777


Any help would be greatly appreciated.


Trey Nolen

In article <003901c47646$ca93f920$0b05a8c0@trey>, Trey Nolen
wrote:
> I have a new Debian testing machine running the Debian Samba 3.0.5.
> Everything seems OK except that I cannot get users to have domain admin
> rights.  I have Windows XP workstations. The workstations join and log
> onto the domain fine.
> 
> A "net groupmap list" yields:
> 
> server:/home/tnolen# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> domadm
> Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm
> Account Operators (S-1-5-32-548) -> -1
> Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> 
> My user, for example, is in the domadm group:
> server:/home/tnolen# groups tnolen
> tnolen : users domadm
> 
> I have tried several combinations of group mappings but all yield the
> same result. Basically, the user is just a regular user.
>
Have you tried:

net getlocalsid

SID for domain DOMAIN is: S-1-5-21-3876029557-4061927837-2224609541, ie. the
SIDs should match.

If they don't:

1. Stop samba
2. Delete "group_mapping.tdb"
3. Start samba
4. net groupmap modify ntgroup="Domain Admins" unixgroup=domadm etc.

This should make a fresh group_mapping.tdb with correct SIDs.

Hope this helps.

Regards,

Sten Sletbak
Oslo University College