samba - Aug 2004 - domain admins not being applied to windows box

Hi,

I have recently upgaded from samba 2.2 to samba 3.0.
I used to have "domain admin group = @winadmin" in my smb.conf,
but I understand from the documentation that it is deprecated
in favour of 
"net groupmap set "Domain Admin" winadmin".

I would expect unix users who are members of the
unix group winadmin to become Domain Admins, then,
but they don't ?.

Do I understand this correctly that unix users
that are a member of the unix group winadmin
then will be "advertised" as being a member of
the NT Group "Domain Admins" to windows machines?
The windows box applies whatever permissions the
"Domain Admins" have for this box, by default
"Administrator"?

My server is a debian gnu/linux box in a test environment.
My windows machine(s) are run within vmware, windows XP and 2k.

Details:

************************* snip **************
on the server the groupmapping is as follows:
root@smoke:~# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> winadmin
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> winadmin
****************************************************************

On windows it seems to accept that ish:
(intented to copy and paste from a msdos box but failed miserably
so here's the written out extract ;) )
c:\>net user cnw /DOMAIN
.... blurb....
Local Group Memberships   *dialout                 <- WTF???
Global Group memberships   *Domain Users *Domain Admins
The command completed sucessfully.
c:\>

*****************************************************************

Doesn't above mean I should be administrator (when logged in
as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
However, if I try to open the TCP/IP properties windows tells me
that I do not have access...

I am new to samba 3.0 and so far only read the publicly available
documentation, so I would like to double check whether I understand
this correctly.

Thank you,

Conrad

If you look at your group mapping list, you have duplicates for Domain 
Users and Domain Admins.  Delete these mappings with the net groupmap 
command (you may have to delete each twice) and then re-add them.  The 
SIDs should be the -5xx ones, not -1219 or -3005

Conrad Wood wrote:
>Hi,
>
>I have recently upgaded from samba 2.2 to samba 3.0.
>I used to have "domain admin group = @winadmin" in my smb.conf,
>but I understand from the documentation that it is deprecated
>in favour of 
>"net groupmap set "Domain Admin" winadmin".
>
>I would expect unix users who are members of the
>unix group winadmin to become Domain Admins, then,
>but they don't ?.
>
>Do I understand this correctly that unix users
>that are a member of the unix group winadmin
>then will be "advertised" as being a member of
>the NT Group "Domain Admins" to windows machines?
>The windows box applies whatever permissions the
>"Domain Admins" have for this box, by default
"Administrator"?
>
>My server is a debian gnu/linux box in a test environment.
>My windows machine(s) are run within vmware, windows XP and 2k.
>
>Details:
>
>************************* snip **************
>on the server the groupmapping is as follows:
>root@smoke:~# net groupmap list
>System Operators (S-1-5-32-549) -> -1
>Replicators (S-1-5-32-552) -> -1
>Guests (S-1-5-32-546) -> -1
>Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
>Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
>Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
>Power Users (S-1-5-32-547) -> -1
>Print Operators (S-1-5-32-550) -> -1
>Administrators (S-1-5-32-544) -> winadmin
>Account Operators (S-1-5-32-548) -> -1
>Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
>Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
>Backup Operators (S-1-5-32-551) -> -1
>Users (S-1-5-32-545) -> winadmin
>****************************************************************
>
>On windows it seems to accept that ish:
>(intented to copy and paste from a msdos box but failed miserably
>so here's the written out extract ;) )
>c:\>net user cnw /DOMAIN
>.... blurb....
>Local Group Memberships   *dialout                 <- WTF???
>Global Group memberships   *Domain Users *Domain Admins
>The command completed sucessfully.
>c:\>
>
>*****************************************************************
>
>Doesn't above mean I should be administrator (when logged in
>as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
>However, if I try to open the TCP/IP properties windows tells me
>that I do not have access...
>
>I am new to samba 3.0 and so far only read the publicly available
>documentation, so I would like to double check whether I understand
>this correctly.
>
>Thank you,
>
>Conrad
>
>
>
>  
>
-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger@ae-solutions.com