I have a small domain with a Samba PDB and two Windows clients. My goal is to have all accounts held centrally on the Linux box, but the administrator login doesn't work as an administrator. That is, I can login just fine as 'administrator' (or as any of the other accounts in the Samba password db), but I don't get administrative privileges in Windows. In smb.conf, I have: admin users = root username map = /etc/samba/smbusers In smbusers, I have: root = administrator The username mapping appears to occur, but 'administrator' (now 'root') does not receive admin privileges in Windows. (This leads to quite a bind, because I can't login as administrator to take the computer out of the domain and add a local administrator account.) Any ideas? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
---------- Forwarded message ---------- From: Edward Luck <ed.luck@gmail.com> Date: Jan 12, 2006 7:06 PM Subject: Re: [Samba] problem with administrator accounts To: "Chris St. Pierre" <stpierre@nebrwesleyan.edu> You need to map your Domain Admins group to a Linux group which the root user is a member of. Here's a couple of things I have noticed: 1. User account "root" always gets a RID of 1000, not 500. So, there is effectively no "Administrator" user account. 2. You need to map the group "Domain Admins" to a unix group (preferrably named "ntadmins", which root is a member of. With the above settings, I was able to add machines to the domain as the user "root". Remember that the User RID of "500" in Windows has special privileges - much like any account in UNIX with a userID of "0" is considered the superuser. Because there is no account in Samba which has a RID of 500, you need to assign Administrator privileges based on group membership - Domain Admins to be precise. On 1/12/06, Chris St. Pierre <stpierre@nebrwesleyan.edu> wrote:> I have a small domain with a Samba PDB and two Windows clients. My > goal is to have all accounts held centrally on the Linux box, but the > administrator login doesn't work as an administrator. > > That is, I can login just fine as 'administrator' (or as any of the > other accounts in the Samba password db), but I don't get > administrative privileges in Windows. > > In smb.conf, I have: > > admin users = root > username map = /etc/samba/smbusers > > In smbusers, I have: > > root = administrator > > The username mapping appears to occur, but 'administrator' (now > 'root') does not receive admin privileges in Windows. (This leads to > quite a bind, because I can't login as administrator to take the > computer out of the domain and add a local administrator account.) > > Any ideas? Thanks! > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- Keep flying, and stay shiny. -- Keep flying, and stay shiny.
---------- Forwarded message ---------- From: Edward Luck <ed.luck@gmail.com> Date: Jan 12, 2006 7:10 PM Subject: Re: [Samba] problem with administrator accounts To: "Chris St. Pierre" <stpierre@nebrwesleyan.edu> One other thing about Administrator access. If you try and force a RID of 500 to the user "root" you get tdb database errors. It basically doesn't work as expected. On 1/12/06, Edward Luck <ed.luck@gmail.com> wrote:> You need to map your Domain Admins group to a Linux group which the > root user is a member of. > > Here's a couple of things I have noticed: > > 1. User account "root" always gets a RID of 1000, not 500. So, there > is effectively no "Administrator" user account. > 2. You need to map the group "Domain Admins" to a unix group > (preferrably named "ntadmins", which root is a member of. > > With the above settings, I was able to add machines to the domain as > the user "root". > > Remember that the User RID of "500" in Windows has special privileges > - much like any account in UNIX with a userID of "0" is considered the > superuser. Because there is no account in Samba which has a RID of > 500, you need to assign Administrator privileges based on group > membership - Domain Admins to be precise. > > On 1/12/06, Chris St. Pierre <stpierre@nebrwesleyan.edu> wrote: > > I have a small domain with a Samba PDB and two Windows clients. My > > goal is to have all accounts held centrally on the Linux box, but the > > administrator login doesn't work as an administrator. > > > > That is, I can login just fine as 'administrator' (or as any of the > > other accounts in the Samba password db), but I don't get > > administrative privileges in Windows. > > > > In smb.conf, I have: > > > > admin users = root > > username map = /etc/samba/smbusers > > > > In smbusers, I have: > > > > root = administrator > > > > The username mapping appears to occur, but 'administrator' (now > > 'root') does not receive admin privileges in Windows. (This leads to > > quite a bind, because I can't login as administrator to take the > > computer out of the domain and add a local administrator account.) > > > > Any ideas? Thanks! > > > > Chris St. Pierre > > Unix Systems Administrator > > Nebraska Wesleyan University > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- > Keep flying, and stay shiny. >-- Keep flying, and stay shiny. -- Keep flying, and stay shiny.
Sorry if I'm being dense, but how do I map groups? I can't find anything in the smb.conf man page about group mapping (except with idmap, which isn't what I want). I'm using an older version of Samba -- 3.0.13 -- which is prebuilt for SuSE 9.3, and I'm lazy and didn't want to build my own. Do I need to upgrade to a newer version to get the functionality I want? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 On Thu, 12 Jan 2006, Edward Luck wrote:>You need to map your Domain Admins group to a Linux group which the >root user is a member of. > >Here's a couple of things I have noticed: > >1. User account "root" always gets a RID of 1000, not 500. So, there >is effectively no "Administrator" user account. >2. You need to map the group "Domain Admins" to a unix group >(preferrably named "ntadmins", which root is a member of. > >With the above settings, I was able to add machines to the domain as >the user "root". > >Remember that the User RID of "500" in Windows has special privileges >- much like any account in UNIX with a userID of "0" is considered the >superuser. Because there is no account in Samba which has a RID of >500, you need to assign Administrator privileges based on group >membership - Domain Admins to be precise. > >On 1/12/06, Chris St. Pierre <stpierre@nebrwesleyan.edu> wrote: >> I have a small domain with a Samba PDB and two Windows clients. My >> goal is to have all accounts held centrally on the Linux box, but the >> administrator login doesn't work as an administrator. >> >> That is, I can login just fine as 'administrator' (or as any of the >> other accounts in the Samba password db), but I don't get >> administrative privileges in Windows. >> >> In smb.conf, I have: >> >> admin users = root >> username map = /etc/samba/smbusers >> >> In smbusers, I have: >> >> root = administrator >> >> The username mapping appears to occur, but 'administrator' (now >> 'root') does not receive admin privileges in Windows. (This leads to >> quite a bind, because I can't login as administrator to take the >> computer out of the domain and add a local administrator account.) >> >> Any ideas? Thanks! >> >> Chris St. Pierre >> Unix Systems Administrator >> Nebraska Wesleyan University >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > > >-- >Keep flying, and stay shiny. >