samba - Jan 2008 - Creating samba shares from windows machine?

We have two samba boxes using ads security in a windows domain, and
would like for members of the Domain Admins group to be able to create
shares on the samba boxes using the Computer Management snap-in.  When I
attempt to do this I get access denied errors.  Is this possible, and if
so, how would I go about setting it up? 

Here is the relevant portion from smb.conf

[global]
        workgroup = DOMAINNAME
        security = ads
        realm = DOMAINNAME
        password server = pw.domain.com
        encrypt passwords = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        netbios name = HOSTNAME
        winbind enum groups = yes
        winbind enum users = yes
        winbind use default domain = yes

        # W2K3-SP1 / W2K-SP4-SR1 COMPATIBILITY WORKAROUND
        # The following statement turns off Samba's attempts to use netlogon
        # schannel when connecting as a client to other SMB hosts.
        client schannel = no

        # GENERAL WINDOWS 2000, 2003, and XP-RELATED COMPATIBILITY SETTINGS
        # These two settings tend to improve Samba's compatibility with
newer
        # Windows systems:
        client use spnego = no
        server signing = auto

        # prevent conflicts with AD
        os level = 1
        domain master = no

Thanks!

-- 
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Visit http://www.puryear-it.com/pubs/ebooks/ to download your free
copies of:

 "Best Practices for Managing Linux and UNIX Servers"
 "Spam Fighting and Email Security in the 21st Century"

have you put them in a unix group and then ran net groupmap add 
ntgroup="Domain Admins" unixgroup=whatever type=d or tried net -S
DOMAIN
-U root%password rpc rights grant "DOMAIN\Domain Admins" 
SeDiskOperatorPrivilege

then look on page 441 of Samba-3 By Example.pdf on how to use Computer 
Management snap in to get to the Shares.


Steven Whaley wrote:
> We have two samba boxes using ads security in a windows domain, and
> would like for members of the Domain Admins group to be able to create
> shares on the samba boxes using the Computer Management snap-in.  When I
> attempt to do this I get access denied errors.  Is this possible, and if
> so, how would I go about setting it up? 
>
> Here is the relevant portion from smb.conf
>
> [global]
>         workgroup = DOMAINNAME
>         security = ads
>         realm = DOMAINNAME
>         password server = pw.domain.com
>         encrypt passwords = yes
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         netbios name = HOSTNAME
>         winbind enum groups = yes
>         winbind enum users = yes
>         winbind use default domain = yes
>
>         # W2K3-SP1 / W2K-SP4-SR1 COMPATIBILITY WORKAROUND
>         # The following statement turns off Samba's attempts to use
netlogon
>         # schannel when connecting as a client to other SMB hosts.
>         client schannel = no
>
>         # GENERAL WINDOWS 2000, 2003, and XP-RELATED COMPATIBILITY SETTINGS
>         # These two settings tend to improve Samba's compatibility with
> newer
>         # Windows systems:
>         client use spnego = no
>         server signing = auto
>
>         # prevent conflicts with AD
>         os level = 1
>         domain master = no
>
> Thanks!
>
>