Hello,
I need some understanding about when being as user in a domain group
and log on to a windows machine as user that belongs to this group
having administrative rights. I will explain in more detail and give
some more information:
# net getlocalsid> SID for domain FILESERVER is: S-1-5-21-4166838278-3543217259-2095403906
# net getlocalsid <domain>> SID for domain <domain> is: S-1-5-21-2018781741-1212345122-1862565094
# net groupmap list> domain-admins (S-1-5-21-2018781741-1212345122-1862565094-512) -> admin
> domain-guests (S-1-5-21-2018781741-1212345122-1862565094-514) -> nobody
> domain-users (S-1-5-21-2018781741-1212345122-1862565094-513) -> users
> Domain Guests (S-1-5-21-4166838278-3543217259-2095403906-514) -> -1
> Domain Admins (S-1-5-21-4166838278-3543217259-2095403906-512) -> -1
> Domain Users (S-1-5-21-4166838278-3543217259-2095403906-513) -> -1
It seems the groups "Domain Admins", "Domain Guests" and
"Domain Users"
are "built-in" NT groups. Why are these groups not mapped? Because of
the different SID? But how does this happen? The FILESERVER is not in
the domain? How can I determine this?
As I didn't know that these NT groups seem to be "built-in" groups
I
created some the other groups (those with dashes, e.g.
"domain-admins").
I have a user account that is in the unix group "admin". But when
loggin
on to a windows xp machine that is in the domain with that account I don't
have any administrative rights. So I changed the groupmapping to:
# net groupmap modify ntgroup="domain-admins"
unix-group="ntadmin"
Then I added my user account into this unix group "ntadmin" and
suddenly
I have administrative rights when loggin on to a windows machine.
# getent group | grep admin> ntadmin:!:71:<user1>,<user2>,<user3>,...
> admin:x:101:administrator,<user1>,<user2>,<user3>,...
What makes the difference between these unix groups? Why didn't the
first mapping have any effect concerning administrative rights?
Are the groups "Domain Admins", "Domain Users" and
"Domain Guests"
really built-in NT groups and is the group "ntadmin" a built-in unix
group? The problem is that this often is mentioned in the documentation
as "example" groups. This lets one suggest that you can create any
group and these built-in groups are there but not used. Is this correct?
I hope you guess what want to say.
Thanks in advance,
Michael
