samba - Oct 2007 - root != admin domain user?

Hi all,

Samba has been running as PDC for some months in a row w/o no issues so 
far.
Users and machines were created and added to the domain correctly...

Now I'm facing the following problem... I hope it's easy to solve...
Although machines have been added to the domain using the root user, and 
it's mapped to Administrator in /etc/samba/smbusers, when a situation 
like connecting to a remote Windows workstation or unlocking a locked 
session using that user comes, the workstation shows a message telling 
that I (or the SysAdmin using the root or Administartor account) have no 
privileges to do that...

This is my smb.conf:

---
[global]
       netbios name = v601
       server string = Volania Six Dominatrix
       workgroup = VOLANIASIX.COM

       ; domain & local master browser
       ; coz we're dealing with Win2k
       os level = 65
       prefered master = yes
       domain master = yes
       local master = yes
       domain logons = yes
       wins support = yes

       ; misc options
       socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
SO_RCVBUF=8192
       time server = yes

       ; do not show files starting with dots
       hide dot files = yes

       ; do not allow guest access, use only local system accounts
       security = user
       guest ok = no
       invalid users = bin deamon sys man postfix mail ftp
       admin users = @wheel

       ; use encrypted passwords
       encrypt passwords = yes

       ; logging (max log size is in kB)
       log level = 2
       log file = /var/log/samba/log.%L
       max log size = 1000
       debug timestamp = yes
       syslog = 1

       ; user roaming profiles path
       logon path = \\%N\profiles\%U

       logon drive = H:

       ; general logon script (in DOS format)
       logon script = %u.bat

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
       add user script = /usr/sbin/useradd %u
       add group script = /usr/sbin/groupadd %g
       add machine script = /usr/sbin/adduser -n -g users -c 
V6-Windows-Machine -d /dev/null -s /bin/false %u
       delete user script = /usr/sbin/userdel %u
       delete user from group script = /usr/sbin/deluser %u %g
       delete group script = /usr/sbin/groupdel %g
       username map = /etc/samba/smbusers


; share for domain controller
[netlogon]
       path = /usr/lib/samba/netlogon
       public = no
       writeable = no
       browsable = no
       valid users = root @smbusers

; share for storing user profiles
[profiles]
       comment = Network Profiles Share

       path = /usr/lib/samba/profiles
       writeable = yes
       store dos attributes = yes
       create mask = 0700
       directory mask = 0700
       browsable = no
       guest ok = no
       printable = no

       hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
       valid users = root @smbusers

[homes]
       valid users = %S
       read only = No
       browseable = No

---

# grep wheel /etc/group
wheel:x:10:root



Any suggestions?? Maybe I've overseen something obvious when Samba was 
set up as PDC...


TIA,
Martin


-- 
Martin Mielke - martin.mielke@casino.com
Sr. SysAdmin at Casino.com
p: +34 956785288 | f: +34 956794081 | m: +34 677509693
w: http://www.casino.com/

The contents of this email and any attachments are for the intended recipient(s)
only. This email may contain proprietary, confidential, or otherwise private
information belonging to Casino.com (hereafter referred to as "The
Company") or its affiliates. The Company does not take any responsibility
for, or endorse any information which does not relate to its official business,
including personal mail and/or opinions by senders whether or not they are
employed by The Company. If you receive a message that was not intended for you,
please notify the sender immediately (or forward the email to
privacy@casino.com). Do not read, use or disclose the contents in any way and
delete the message immediately.
 
The Company will take reasonable precautions but cannot ensure that this e-mail
and any attachments will be free of errors, viruses, interception or
interference. Therefore The Company can not be held liable for any loss or
damages incurred by you which have been caused by any of the foregoing. No
undertaking, guarantee or other obligation contained in this email or any
attachments will bind The Company unless it is later confirmed in writing.

See on the samba howto collection the chapter 15 "User rights and 
Privileges" .
You will find the answer.


-----------------------------------
St?phane PURNELLE                         stephane.purnelle@corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

samba-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit sur 
23/10/2007 11:36:01 :
> Hi all,
> 
> Samba has been running as PDC for some months in a row w/o no issues so 
> far.
> Users and machines were created and added to the domain correctly...
> 
> Now I'm facing the following problem... I hope it's easy to
solve...
> Although machines have been added to the domain using the root user, and 
> it's mapped to Administrator in /etc/samba/smbusers, when a situation 
> like connecting to a remote Windows workstation or unlocking a locked 
> session using that user comes, the workstation shows a message telling 
> that I (or the SysAdmin using the root or Administartor account) have no 
> privileges to do that...
> 
> This is my smb.conf:
> 
> ---
> [global]
>        netbios name = v601
>        server string = Volania Six Dominatrix
>        workgroup = VOLANIASIX.COM
> 
>        ; domain & local master browser
>        ; coz we're dealing with Win2k
>        os level = 65
>        prefered master = yes
>        domain master = yes
>        local master = yes
>        domain logons = yes
>        wins support = yes
> 
>        ; misc options
>        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
> SO_RCVBUF=8192
>        time server = yes
> 
>        ; do not show files starting with dots
>        hide dot files = yes
> 
>        ; do not allow guest access, use only local system accounts
>        security = user
>        guest ok = no
>        invalid users = bin deamon sys man postfix mail ftp
>        admin users = @wheel
> 
>        ; use encrypted passwords
>        encrypt passwords = yes
> 
>        ; logging (max log size is in kB)
>        log level = 2
>        log file = /var/log/samba/log.%L
>        max log size = 1000
>        debug timestamp = yes
>        syslog = 1
> 
>        ; user roaming profiles path
>        logon path = \\%N\profiles\%U
> 
>        logon drive = H:
> 
>        ; general logon script (in DOS format)
>        logon script = %u.bat
> 
> # These scripts are used on a domain controller or stand-alone
> # machine to add or delete corresponding unix accounts
>        add user script = /usr/sbin/useradd %u
>        add group script = /usr/sbin/groupadd %g
>        add machine script = /usr/sbin/adduser -n -g users -c 
> V6-Windows-Machine -d /dev/null -s /bin/false %u
>        delete user script = /usr/sbin/userdel %u
>        delete user from group script = /usr/sbin/deluser %u %g
>        delete group script = /usr/sbin/groupdel %g
>        username map = /etc/samba/smbusers
> 
> 
> ; share for domain controller
> [netlogon]
>        path = /usr/lib/samba/netlogon
>        public = no
>        writeable = no
>        browsable = no
>        valid users = root @smbusers
> 
> ; share for storing user profiles
> [profiles]
>        comment = Network Profiles Share
> 
>        path = /usr/lib/samba/profiles
>        writeable = yes
>        store dos attributes = yes
>        create mask = 0700
>        directory mask = 0700
>        browsable = no
>        guest ok = no
>        printable = no
> 
>        hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
>        valid users = root @smbusers
> 
> [homes]
>        valid users = %S
>        read only = No
>        browseable = No
> 
> ---
> 
> # grep wheel /etc/group
> wheel:x:10:root
> 
> 
> 
> Any suggestions?? Maybe I've overseen something obvious when Samba was 
> set up as PDC...
> 
> 
> TIA,
> Martin
> 
> 
> -- 
> Martin Mielke - martin.mielke@casino.com
> Sr. SysAdmin at Casino.com
> p: +34 956785288 | f: +34 956794081 | m: +34 677509693
> w: http://www.casino.com/
> 
> The contents of this email and any attachments are for the intended 
> recipient(s) only. This email may contain proprietary, confidential,
> or otherwise private information belonging to Casino.com (hereafter 
> referred to as "The Company") or its affiliates. The Company does
> not take any responsibility for, or endorse any information which 
> does not relate to its official business, including personal mail 
> and/or opinions by senders whether or not they are employed by The 
> Company. If you receive a message that was not intended for you, 
> please notify the sender immediately (or forward the email to 
> privacy@casino.com). Do not read, use or disclose the contents in 
> any way and delete the message immediately.
> 
> The Company will take reasonable precautions but cannot ensure that 
> this e-mail and any attachments will be free of errors, viruses, 
> interception or interference. Therefore The Company can not be held 
> liable for any loss or damages incurred by you which have been 
> caused by any of the foregoing. No undertaking, guarantee or other 
> obligation contained in this email or any attachments will bind The 
> Company unless it is later confirmed in writing.
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

wel, 

/snap 
connecting to a remote Windows workstation or unlocking a locked 
session using that user comes, the workstation shows a message telling 
that I (or the SysAdmin using the root or Administartor account) have no 
privileges to do that...
/snap 

sound correct..  

but didnt you forget to 
1) put the "Domain Administrators" group to the remote desktop (
terminal
services ) 
2) change the local administrators password to the same password as the
Domain Administrator
3) enable Terminal services at all.
4) does the account have a password and is it member of the LOCAL Terminal
Services group. 

check al 4 and you will fix it.

this is you i work.

1 the Domain user i work with = Domain Admin ( primary group ) 
2 Domain Admins are allowed to logon in terminal services. 
3 just for backup, my loginname exists also as local user, AND has access to
terminal services.
	this incase the Domain Controller has a problemen and you Must have
access to a desktop.

Good Luck.

Louis


>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens 
>Martin Mielke
>Verzonden: dinsdag 23 oktober 2007 11:36
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] root != admin domain user?
>
>Hi all,
>
>Samba has been running as PDC for some months in a row w/o no 
>issues so 
>far.
>Users and machines were created and added to the domain correctly...
>
>Now I'm facing the following problem... I hope it's easy to solve...
>Although machines have been added to the domain using the root 
>user, and 
>it's mapped to Administrator in /etc/samba/smbusers, when a situation 
>like connecting to a remote Windows workstation or unlocking a locked 
>session using that user comes, the workstation shows a message telling 
>that I (or the SysAdmin using the root or Administartor 
>account) have no 
>privileges to do that...
>
>This is my smb.conf:
>
>---
>[global]
>       netbios name = v601
>       server string = Volania Six Dominatrix
>       workgroup = VOLANIASIX.COM
>
>       ; domain & local master browser
>       ; coz we're dealing with Win2k
>       os level = 65
>       prefered master = yes
>       domain master = yes
>       local master = yes
>       domain logons = yes
>       wins support = yes
>
>       ; misc options
>       socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
>SO_RCVBUF=8192
>       time server = yes
>
>       ; do not show files starting with dots
>       hide dot files = yes
>
>       ; do not allow guest access, use only local system accounts
>       security = user
>       guest ok = no
>       invalid users = bin deamon sys man postfix mail ftp
>       admin users = @wheel
>
>       ; use encrypted passwords
>       encrypt passwords = yes
>
>       ; logging (max log size is in kB)
>       log level = 2
>       log file = /var/log/samba/log.%L
>       max log size = 1000
>       debug timestamp = yes
>       syslog = 1
>
>       ; user roaming profiles path
>       logon path = \\%N\profiles\%U
>
>       logon drive = H:
>
>       ; general logon script (in DOS format)
>       logon script = %u.bat
>
># These scripts are used on a domain controller or stand-alone
># machine to add or delete corresponding unix accounts
>       add user script = /usr/sbin/useradd %u
>       add group script = /usr/sbin/groupadd %g
>       add machine script = /usr/sbin/adduser -n -g users -c 
>V6-Windows-Machine -d /dev/null -s /bin/false %u
>       delete user script = /usr/sbin/userdel %u
>       delete user from group script = /usr/sbin/deluser %u %g
>       delete group script = /usr/sbin/groupdel %g
>       username map = /etc/samba/smbusers
>
>
>; share for domain controller
>[netlogon]
>       path = /usr/lib/samba/netlogon
>       public = no
>       writeable = no
>       browsable = no
>       valid users = root @smbusers
>
>; share for storing user profiles
>[profiles]
>       comment = Network Profiles Share
>
>       path = /usr/lib/samba/profiles
>       writeable = yes
>       store dos attributes = yes
>       create mask = 0700
>       directory mask = 0700
>       browsable = no
>       guest ok = no
>       printable = no
>
>       hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
>       valid users = root @smbusers
>
>[homes]
>       valid users = %S
>       read only = No
>       browseable = No
>
>---
>
># grep wheel /etc/group
>wheel:x:10:root
>
>
>
>Any suggestions?? Maybe I've overseen something obvious when Samba was 
>set up as PDC...
>
>
>TIA,
>Martin
>
>
>-- 
>Martin Mielke - martin.mielke@casino.com
>Sr. SysAdmin at Casino.com
>p: +34 956785288 | f: +34 956794081 | m: +34 677509693
>w: http://www.casino.com/
>
>The contents of this email and any attachments are for the 
>intended recipient(s) only. This email may contain 
>proprietary, confidential, or otherwise private information 
>belonging to Casino.com (hereafter referred to as "The 
>Company") or its affiliates. The Company does not take any 
>responsibility for, or endorse any information which does not 
>relate to its official business, including personal mail 
>and/or opinions by senders whether or not they are employed by 
>The Company. If you receive a message that was not intended 
>for you, please notify the sender immediately (or forward the 
>email to privacy@casino.com). Do not read, use or disclose the 
>contents in any way and delete the message immediately.
> 
>The Company will take reasonable precautions but cannot ensure 
>that this e-mail and any attachments will be free of errors, 
>viruses, interception or interference. Therefore The Company 
>can not be held liable for any loss or damages incurred by you 
>which have been caused by any of the foregoing. No 
>undertaking, guarantee or other obligation contained in this 
>email or any attachments will bind The Company unless it is 
>later confirmed in writing.
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>