We have two samba boxes using ads security in a windows domain, and would like for members of the Domain Admins group to be able to create shares on the samba boxes using the Computer Management snap-in. When I attempt to do this I get access denied errors. Is this possible, and if so, how would I go about setting it up? Here is the relevant portion from smb.conf [global] workgroup = DOMAINNAME security = ads realm = DOMAINNAME password server = pw.domain.com encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 netbios name = HOSTNAME winbind enum groups = yes winbind enum users = yes winbind use default domain = yes # W2K3-SP1 / W2K-SP4-SR1 COMPATIBILITY WORKAROUND # The following statement turns off Samba's attempts to use netlogon # schannel when connecting as a client to other SMB hosts. client schannel = no # GENERAL WINDOWS 2000, 2003, and XP-RELATED COMPATIBILITY SETTINGS # These two settings tend to improve Samba's compatibility with newer # Windows systems: client use spnego = no server signing = auto # prevent conflicts with AD os level = 1 domain master = no Thanks! -- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Visit http://www.puryear-it.com/pubs/ebooks/ to download your free copies of: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century"
have you put them in a unix group and then ran net groupmap add ntgroup="Domain Admins" unixgroup=whatever type=d or tried net -S DOMAIN -U root%password rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege then look on page 441 of Samba-3 By Example.pdf on how to use Computer Management snap in to get to the Shares. Steven Whaley wrote:> We have two samba boxes using ads security in a windows domain, and > would like for members of the Domain Admins group to be able to create > shares on the samba boxes using the Computer Management snap-in. When I > attempt to do this I get access denied errors. Is this possible, and if > so, how would I go about setting it up? > > Here is the relevant portion from smb.conf > > [global] > workgroup = DOMAINNAME > security = ads > realm = DOMAINNAME > password server = pw.domain.com > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > netbios name = HOSTNAME > winbind enum groups = yes > winbind enum users = yes > winbind use default domain = yes > > # W2K3-SP1 / W2K-SP4-SR1 COMPATIBILITY WORKAROUND > # The following statement turns off Samba's attempts to use netlogon > # schannel when connecting as a client to other SMB hosts. > client schannel = no > > # GENERAL WINDOWS 2000, 2003, and XP-RELATED COMPATIBILITY SETTINGS > # These two settings tend to improve Samba's compatibility with > newer > # Windows systems: > client use spnego = no > server signing = auto > > # prevent conflicts with AD > os level = 1 > domain master = no > > Thanks! > >