Michael Billerbeck
2005-Nov-21 17:04 UTC
[Samba] does a pdc need to be in the domain itself?
Hello List, we have installed samba Version 3.0.20-0.1-SUSE. when I'm entering> net getlocalsidI get> SID for domain <netbios name> is:S-1-5-21-4166838278-3756557259-2095403906 entering> net getlocalsid <domain name>returns> SID for domain <domain name> is:S-1-5-21-2018781741-1218799122-1862565094 Does this mean that the pdc itself is not in the domain and is it better to join the pdc itself to the domain then? The standard domain groups having the SID part of the first "net getlocalsid" map to no unix group but they are also not used:> net groupmap list > [...] > Domain Users (S-1-5-21-4166838278-3756557259-2095403906-513) -> -1 > domadmins (S-1-5-21-2018781741-1218799122-1862565094-512) -> admin > domguests (S-1-5-21-2018781741-1218799122-1862565094-514) -> nobody > Domain Guests (S-1-5-21-4166838278-3756557259-2095403906-514) -> -1 > Domain Admins (S-1-5-21-4166838278-3756557259-2095403906-512) -> -1 > domusers (S-1-5-21-2018781741-1218799122-1862565094-513) -> users > [...]On windows machines I can see the domain group "domadmins" in the local admin group. I can also see the domain groups "domadmins", "domguests" and "domusers" when browsing the users in the domain on that windows machine, but not the standard domain groups "Domain Admins", "Domain Users" or "Domain Guests". This seems to be ok. with regards Michael
On Mon, 2005-11-21 at 18:04 +0100, Michael Billerbeck wrote:> Hello List, > > we have installed samba Version 3.0.20-0.1-SUSE. > > when I'm entering > > net getlocalsid > I get > > SID for domain <netbios name> is: > S-1-5-21-4166838278-3756557259-2095403906 > entering > > net getlocalsid <domain name> > returns > > SID for domain <domain name> is: > S-1-5-21-2018781741-1218799122-1862565094 > > Does this mean that the pdc itself is not in the domain and is it better to > join the pdc itself to the domain then?---- I think that is the general consensus. You could have 2 domains and a trust account between them...you are the administrator. ----> > The standard domain groups having the SID part of the first "net > getlocalsid" > map to no unix group but they are also not used: > > > net groupmap list > > [...] > > Domain Users (S-1-5-21-4166838278-3756557259-2095403906-513) -> -1 > > domadmins (S-1-5-21-2018781741-1218799122-1862565094-512) -> admin > > domguests (S-1-5-21-2018781741-1218799122-1862565094-514) -> nobody > > Domain Guests (S-1-5-21-4166838278-3756557259-2095403906-514) -> -1 > > Domain Admins (S-1-5-21-4166838278-3756557259-2095403906-512) -> -1 > > domusers (S-1-5-21-2018781741-1218799122-1862565094-513) -> users > > [...] > > On windows machines I can see the domain group "domadmins" in the local > admin > group. I can also see the domain groups "domadmins", "domguests" and > "domusers" > when browsing the users in the domain on that windows machine, but not the > standard domain groups "Domain Admins", "Domain Users" or "Domain Guests". > This seems to be ok.---- If it's ok, then leave it alone. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.