Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called "domainadm" with "user1" a member of the group. When I run "net groupmap list" I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm But when I go to log in to the domain with "user1" on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap
Golden Butler wrote:> Hi, > > I'm trying to set up one of my users to be a domain admin. I have > unix/ldap group called "domainadm" with "user1" a member of the > group. When I run "net groupmap list" I get the following: > > Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> > domainadm > > But when I go to log in to the domain with "user1" on a winxp machine, > the user isn't able to make administrative changes to the computer. > > Is there something I'm doing wrong? > > - Delamatrix > > SLES9-SP3 > Samba 3.0.20b > Openldap >It's not clear what you are trying to do. If the Windows user1 is a member of "Domain Admins" and if Domain Admins have administrative rights on the winxp machine, user1 should have administrative rights on the winxp machine. If the Unix group domainadm has some special privileges on your Samba server, then user1 should be able to exercise those privileges. Neither condition is automatic however. You need to set up the privileges.
Yes! That was it. Thanks a lot. But now I'm curious. So if I wanted to map my unix "users" group to "Domain Users", what rid would I use, or does it matter? - Delamatrix _____ From: Neil Muller [mailto:neil@neologix.net.au] To: Golden Butler [mailto:golden@cnt.org] Cc: Samba Mailing List [mailto:samba@lists.samba.org] Sent: Wed, 24 May 2006 19:22:48 -0500 Subject: Re: [Samba] Domain Admins Golden Butler wrote:> Hi, > > I'm trying to set up one of my users to be a domain admin. I have > unix/ldap group called "domainadm" with "user1" a member of the group. > When I run "net groupmap list" I get the following: > > Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm > > But when I go to log in to the domain with "user1" on a winxp machine, > the user isn't able to make administrative changes to the computer. > > Is there something I'm doing wrong? > > - Delamatrix > > SLES9-SP3 > Samba 3.0.20b > Openldap >I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: neil@neologix.net
Also, Is it necessary to group map groups you're using in samba? For example: ntgroup "marketing" --> unix group "marketing" ntgroup "sales" --> unix group "sales" What are pros and cons to doing this, or is it optional? -- Delamatrix _____ From: Neil Muller [mailto:neil@neologix.net.au] To: Golden Butler [mailto:golden@cnt.org] Cc: Samba Mailing List [mailto:samba@lists.samba.org] Sent: Wed, 24 May 2006 19:22:48 -0500 Subject: Re: [Samba] Domain Admins Golden Butler wrote:> Hi, > > I'm trying to set up one of my users to be a domain admin. I have > unix/ldap group called "domainadm" with "user1" a member of the group. > When I run "net groupmap list" I get the following: > > Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm > > But when I go to log in to the domain with "user1" on a winxp machine, > the user isn't able to make administrative changes to the computer. > > Is there something I'm doing wrong? > > - Delamatrix > > SLES9-SP3 > Samba 3.0.20b > Openldap >I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: neil@neologix.net
Golden Butler wrote:> Hi, > > I'm trying to set up one of my users to be a domain admin. I have > unix/ldap group called "domainadm" with "user1" a member of the group. > When I run "net groupmap list" I get the following: > > Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) -> domainadm > > But when I go to log in to the domain with "user1" on a winxp machine, > the user isn't able to make administrative changes to the computer. > > Is there something I'm doing wrong? > > - Delamatrix > > SLES9-SP3 > Samba 3.0.20b > Openldap >I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: neil@neologix.net