samba - Sep 2005 - net rpc rights problem with groups

Hello List,
 
I have tried to grant SeMachineAccountPrivilege to an extra group.
Users in this group should not have Admin rights but they should be able to join
workstations to the domain.
My first try was to grant the right to a single user wich is working as
expected.
 
net rpc rights grant "TOPTEST\toptest.r" SeMachineAccountPrivilege -U
domainadmin
 
net rpc rights shows:
hgest3201:~ # net rpc rights list accounts -Udomainadmin
Password:
TOPTEST\toptest.r
SeMachineAccountPrivilege

The user can join workstations to TOPTEST.
But when I create a group named wksadd and grant SeMachineAccountPrivilege to
the group the users of this group cant join workstations.
 
net help rpc rights grant "TOPTEST\wksadd" SeMachineAccountPrivilege
-U domainadmin
 
hgest3201:~ # net rpc rights list accounts -Udomainadmin
Password:
TOPTEST\wksadd
SeMachineAccountPrivilege
 
Is this a bug ??
 
Benny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Benjamin.Oeltze@fujitsu-siemens.com wrote:

| net rpc rights grant "TOPTEST\toptest.r" \
|   SeMachineAccountPrivilege -U domainadmin
|
| net rpc rights shows:
| hgest3201:~ # net rpc rights list accounts -Udomainadmin
| Password:
| TOPTEST\toptest.r
| SeMachineAccountPrivilege
|
| The user can join workstations to TOPTEST.
| But when I create a group named wksadd and grant
| SeMachineAccountPrivilege to the group the users
| of this group cant join workstations.
|
| net help rpc rights grant "TOPTEST\wksadd" \
|   SeMachineAccountPrivilege -U domainadmin
|
| hgest3201:~ # net rpc rights list accounts -Udomainadmin
| Password:
| TOPTEST\wksadd
| SeMachineAccountPrivilege
|
| Is this a bug ??

Works fine here.  What group mapping do  have setup
for TOPTEST\wksadd?






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDM/07IR7qMdg1EfYRAoQLAJ99Dn7FilutE7/M7dmnbcznvuXDbACgiya3
tjlCiMVQ0OWJgVThsPLNBeI=DQYM
-----END PGP SIGNATURE-----

Hello Jerry,

here's the avtive group mapping:

hgest3201:~ # net groupmap list
Domain Admins (S-1-5-21-3768962547-785479325-491471131-512) -> Domain Admins
Domain Users (S-1-5-21-3768962547-785479325-491471131-513) -> Domain Users
Domain Guests (S-1-5-21-3768962547-785479325-491471131-514) -> Domain Guests
Domain Computers (S-1-5-21-3768962547-785479325-491471131-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
wksadd (S-1-5-21-3768962547-785479325-491471131-10213) -> wksadd
Subversion Admins (S-1-5-21-3768962547-785479325-491471131-10198) ->
Subversion Admins
GES_BT (S-1-5-21-3768962547-785479325-491471131-10199) -> GES_BT
GES_BT-SN (S-1-5-21-3768962547-785479325-491471131-10200) -> GES_BT-SN
schreiben (S-1-5-21-3768962547-785479325-491471131-3007) -> schreiben
zugriff (S-1-5-21-3768962547-785479325-491471131-3011) -> zugriff
efsefewf (S-1-5-21-3768962547-785479325-491471131-10219) -> efsefewf
fcvxcvxcvxcvxcv (S-1-5-21-3768962547-785479325-491471131-10223) ->
fcvxcvxcvxcvxcv
f2 (S-1-5-21-3768962547-785479325-491471131-10224) -> f2

hgest3201:~ # getent group | grep wksadd
wksadd:x:10213:laurenz.d,mathias

Mit freundlichem Gru?,



Dirk Laurenz
Systems Engineer	

Fujitsu Siemens Computers
S CE DE SE PS N/O
Sales Central Europe Deutschland 
Professional Service Nord / Ost

Hildesheimer Strasse 25
30880 Laatzen
Germany

Telephone:	+49 (511) 84 89 - 18 08
Telefax:	+49 (511) 84 89 - 25 18 08
Mobile:	+49 (170) 22 10 781
Email:	mailto:dirk.laurenz@fujitsu-siemens.com
Internet:	http://www.fujitsu-siemens.com
            http://www.fujitsu-siemens.de/services/index.html
*******************************************************************************************************************
  

-|  -----Original Message-----
-|  From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
-|  Sent: Friday, September 23, 2005 3:04 PM
-|  To: Oeltze, Benjamin
-|  Cc: samba@lists.samba.org; Laurenz, Dirk
-|  Subject: Re: [Samba] net rpc rights problem with groups
-|  
-|  -----BEGIN PGP SIGNED MESSAGE-----
-|  Hash: SHA1
-|  
-|  Benjamin.Oeltze@fujitsu-siemens.com wrote:
-|  
-|  | net rpc rights grant "TOPTEST\toptest.r" \
-|  |   SeMachineAccountPrivilege -U domainadmin
-|  |
-|  | net rpc rights shows:
-|  | hgest3201:~ # net rpc rights list accounts -Udomainadmin
-|  | Password:
-|  | TOPTEST\toptest.r
-|  | SeMachineAccountPrivilege
-|  |
-|  | The user can join workstations to TOPTEST.
-|  | But when I create a group named wksadd and grant
-|  | SeMachineAccountPrivilege to the group the users
-|  | of this group cant join workstations.
-|  |
-|  | net help rpc rights grant "TOPTEST\wksadd" \
-|  |   SeMachineAccountPrivilege -U domainadmin
-|  |
-|  | hgest3201:~ # net rpc rights list accounts -Udomainadmin
-|  | Password:
-|  | TOPTEST\wksadd
-|  | SeMachineAccountPrivilege
-|  |
-|  | Is this a bug ??
-|  
-|  Works fine here.  What group mapping do  have setup
-|  for TOPTEST\wksadd?
-|  
-|  
-|  
-|  
-|  
-|  
-|  cheers, jerry
-|  -----BEGIN PGP SIGNATURE-----
-|  Version: GnuPG v1.4.0 (GNU/Linux)
-|  Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-|  
-|  iD8DBQFDM/07IR7qMdg1EfYRAoQLAJ99Dn7FilutE7/M7dmnbcznvuXDbACgiya3
-|  tjlCiMVQ0OWJgVThsPLNBeI-|  =DQYM
-|  -----END PGP SIGNATURE-----
-|