samba - Jan 2005 - Domain admins not getting local admin rights

Hi there,

I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.

I did the migration by copying the following:
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*

I then copied /home and fixed all the permissions on stuff.

I then started up samba on the new server, and unplugged the old one.

Most everything went smoothly, everyone could log in, we did not have to 
re-join client comptuters to the domain.

However, I am not understanding why my domain administrator accounts are 
now not getting local administrator priveleges when logged in. This 
always worked fine on Samba 2.2.7a-1!

I now cannot, when logged in on a W2K workstation as a domain user 
called "nsu", which is a member of "domain admins", modify
files in
C:\WINNT, or modify the local registry, etc.

On a W2K orkstation, In the Local Users and Groups applet I can see that 
the local "Administrators" does in fact contain "PD/Domain
Admins" and
it gines a partial listing of the group's SID.

I cannot confirm if this is the same SID as my SID in samba for "Domain 
Admins". It should be the same, right? Can anyone suggest a tool I could 
use to confirm this?

I *really* don't want to have to add a domain group of people who should 
be local administrator to the local administrators group on each 
workstation, as we have quite a number of workstations, so I have not 
tried this yet...

Can someone else suggest something for me to check or try? Thanks!

mtoal

-----------------------------------------------------------------------------------------

[root@pd1 ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

-----------------------------------------------------------------------------------------

[root@pd1 ~]# cat /etc/samba/smb.conf

log level = 4

netbios name = pd1
workgroup = pd

os level = 200
preferred master = no
domain master = yes
local master = no

wins support = no
wins server = 192.168.18.14
name resolve order = wins lmhosts
enhanced browsing = no

security = user
encrypt passwords = yes

domain logons = yes
logon path logon drive = Z:
logon home = \\%L\%u
logon script = logon.bat

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

use client driver = yes

host msdfs = yes

guest account = guest
map to guest = bad user

username map = /etc/samba/smbusers
admin users = @domainadmin

You need to map the ntgroup "Domain Admins" to a valid unixgroup. 
This is
new in Samba 3. I'm assuming in Samba 2.x, you had a line 'domain admins
=
somevalidunixgroup' in your smb.conf file.  That is the group you want to 
map "Domain Admins" to.  This is done with the 'net groupmap'
command.  To
see all of your groupmaps, type 'net groupmap list'.  You'll
probably see
'Domain Admins -> blank'.  Now type:
net groupmap modify ntgroup="Domain Admins"
unixgroup=somevalidunixgroup
(the quotes are needed because of the space in Domain Admins). net groupmap 
list should now report Domain Admins -> somevalidunixgroup.  Also, remove 
the 'domain admins = ' line from your smb.conf.
Might have to restart smb, can't remember.  Definitely have to log off/log 
back on to workstation and you should now be a local admin on the 
workstation.


"Morgan Toal" <mtoal@burlingtoniowa.org> wrote in message 
news:41F9625A.8030609@burlingtoniowa.org...
> Hi there,
>
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
>
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
>
> I then copied /home and fixed all the permissions on stuff.
>
> I then started up samba on the new server, and unplugged the old one.
>
> Most everything went smoothly, everyone could log in, we did not have to 
> re-join client comptuters to the domain.
>
> However, I am not understanding why my domain administrator accounts are 
> now not getting local administrator priveleges when logged in. This always 
> worked fine on Samba 2.2.7a-1!
>
> I now cannot, when logged in on a W2K workstation as a domain user called 
> "nsu", which is a member of "domain admins", modify
files in C:\WINNT, or
> modify the local registry, etc.
>
> On a W2K orkstation, In the Local Users and Groups applet I can see that 
> the local "Administrators" does in fact contain "PD/Domain
Admins" and it
> gines a partial listing of the group's SID.
>
> I cannot confirm if this is the same SID as my SID in samba for
"Domain
> Admins". It should be the same, right? Can anyone suggest a tool I
could
> use to confirm this?
>
> I *really* don't want to have to add a domain group of people who
should
> be local administrator to the local administrators group on each 
> workstation, as we have quite a number of workstations, so I have not 
> tried this yet...
>
> Can someone else suggest something for me to check or try? Thanks!
>
> mtoal
>
>
-----------------------------------------------------------------------------------------
>
> [root@pd1 ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
> Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> 
> domainadmin
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
> Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
> Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
> Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> domainadmin
> Administrators (S-1-5-32-544) -> domainadmin
> cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
> Account Operators (S-1-5-32-548) -> -1
> seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
>
-----------------------------------------------------------------------------------------
>
> [root@pd1 ~]# cat /etc/samba/smb.conf
>
> log level = 4
>
> netbios name = pd1
> workgroup = pd
>
> os level = 200
> preferred master = no
> domain master = yes
> local master = no
>
> wins support = no
> wins server = 192.168.18.14
> name resolve order = wins lmhosts
> enhanced browsing = no
>
> security = user
> encrypt passwords = yes
>
> domain logons = yes
> logon path > logon drive = Z:
> logon home = \\%L\%u
> logon script = logon.bat
>
> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
> %u
>
> use client driver = yes
>
> host msdfs = yes
>
> guest account = guest
> map to guest = bad user
>
> username map = /etc/samba/smbusers
> admin users = @domainadmin
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Looks like there are 2 "Domain Admin" ntgroups, each with a different
SID.
Delete the one that doesn't match the domain portion of the output of
'net
getlocalsid', then make sure the one that is left is mapped to the correct 
unixgroup.


"Morgan Toal" <mtoal@burlingtoniowa.org> wrote in message 
news:41F9625A.8030609@burlingtoniowa.org...
> Hi there,
>
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
>
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
>
> I then copied /home and fixed all the permissions on stuff.
>
> I then started up samba on the new server, and unplugged the old one.
>
> Most everything went smoothly, everyone could log in, we did not have to 
> re-join client comptuters to the domain.
>
> However, I am not understanding why my domain administrator accounts are 
> now not getting local administrator priveleges when logged in. This always 
> worked fine on Samba 2.2.7a-1!
>
> I now cannot, when logged in on a W2K workstation as a domain user called 
> "nsu", which is a member of "domain admins", modify
files in C:\WINNT, or
> modify the local registry, etc.
>
> On a W2K orkstation, In the Local Users and Groups applet I can see that 
> the local "Administrators" does in fact contain "PD/Domain
Admins" and it
> gines a partial listing of the group's SID.
>
> I cannot confirm if this is the same SID as my SID in samba for
"Domain
> Admins". It should be the same, right? Can anyone suggest a tool I
could
> use to confirm this?
>
> I *really* don't want to have to add a domain group of people who
should
> be local administrator to the local administrators group on each 
> workstation, as we have quite a number of workstations, so I have not 
> tried this yet...
>
> Can someone else suggest something for me to check or try? Thanks!
>
> mtoal
>
>
-----------------------------------------------------------------------------------------
>
> [root@pd1 ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
> Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> 
> domainadmin
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
> Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
> Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
> Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> domainadmin
> Administrators (S-1-5-32-544) -> domainadmin
> cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
> Account Operators (S-1-5-32-548) -> -1
> seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
>
-----------------------------------------------------------------------------------------
>
> [root@pd1 ~]# cat /etc/samba/smb.conf
>
> log level = 4
>
> netbios name = pd1
> workgroup = pd
>
> os level = 200
> preferred master = no
> domain master = yes
> local master = no
>
> wins support = no
> wins server = 192.168.18.14
> name resolve order = wins lmhosts
> enhanced browsing = no
>
> security = user
> encrypt passwords = yes
>
> domain logons = yes
> logon path > logon drive = Z:
> logon home = \\%L\%u
> logon script = logon.bat
>
> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
> %u
>
> use client driver = yes
>
> host msdfs = yes
>
> guest account = guest
> map to guest = bad user
>
> username map = /etc/samba/smbusers
> admin users = @domainadmin
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

OK here's the deal, thanks especially to John for your time today and 
remedial attention :)

My issue, to repeat myself, was that I was logging in as a domain 
administrator on a Windows box, and while I was domain administrator 
just fine, I was not having local administrator rights on that box. For 
example, I could not install software, or change the network connection, 
things like that which are a pain in the keester.

Turns out I had several issues going on, pretty much all relating to the 
fact that I had simply migrated my samba v2.2 configuration in situ and 
expected it to just work, and mostly it just did... mostly...

1. I was still using smbpasswd, and needed to move to tdbsam. Apparently 
  I could have done net groupmaps all day and these are ignored if 
you're not using tdbsam as your authentication mechanism as smbpasswd 
cannot tie together the SIDS and such which results in users 
disconnected with their appropriate group memberships. (correct me if I 
am wrong). So I converted it with:

   pdbedit -i smbpasswd -e tdbsam

This process took all of 2 seconds.

2. I needed to modify the [global] section in my smb.conf to conform to 
v3 features. For example I did not have the "add machine script" 
directive set. I basically copied the one in the "impatient" section
of
the howto. I needed to set "passdb backend = tdbsam" since we're
using
this now.

3. I probably did not need to, but I stopped samba, blew away my old 
/var/cache/samba/group_mapping.tdb and restarted samba.

4. I had to remap my groups, since i nuked group_mapping.tdb:

   net groupmap modify ntgroup="Domain Admins" unixgroup=domainadmin

5. I logged out on my windows box as the domain admin user, and logged 
back in as that same user. Lo and behold, I am local administrator 
again. Whoo-hoo!!! :)

thanks again!

mtoal

Morgan Toal wrote:
> Hi there,
> 
> I switched servers yesterday.
> The old server was running 2.2.7a-1 on RedHat 8.0.
> The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
> 
> I did the migration by copying the following:
> /etc/passwd
> /etc/group
> /etc/shadow
> /etc/samba/*
> 
> I then copied /home and fixed all the permissions on stuff.
> 
> I then started up samba on the new server, and unplugged the old one.
> 
> Most everything went smoothly, everyone could log in, we did not have to 
> re-join client comptuters to the domain.
> 
> However, I am not understanding why my domain administrator accounts are 
> now not getting local administrator priveleges when logged in. This 
> always worked fine on Samba 2.2.7a-1!
> 
> I now cannot, when logged in on a W2K workstation as a domain user 
> called "nsu", which is a member of "domain admins",
modify files in
> C:\WINNT, or modify the local registry, etc.
> 
> On a W2K orkstation, In the Local Users and Groups applet I can see that 
> the local "Administrators" does in fact contain "PD/Domain
Admins" and
> it gines a partial listing of the group's SID.
> 
> I cannot confirm if this is the same SID as my SID in samba for
"Domain
> Admins". It should be the same, right? Can anyone suggest a tool I
could
> use to confirm this?
> 
> I *really* don't want to have to add a domain group of people who
should
> be local administrator to the local administrators group on each 
> workstation, as we have quite a number of workstations, so I have not 
> tried this yet...
> 
> Can someone else suggest something for me to check or try? Thanks!
> 
> mtoal