samba - Aug 2009 - Fwd: most common way to implement 'net time' privileges

Liutauras Adomaitis pisze:
> On Wed, Aug 26, 2009 at 6:11 PM, Volker
> Lendecke<Volker.Lendecke at sernet.de> wrote:
>> On Wed, Aug 26, 2009 at 06:05:35PM +0300, Liutauras Adomaitis wrote:
>>> now size is few times larger. Try it now
>>> http://www.infosaitas.lt/logas.txt
>> Normally a "Device is not functioning" (or so) means an
>> NT_STATUS_UNSUCCESSFUL error message. I don't see any such
>> error message in the logs. When *exactly* did the error
>> happen when you took the log?
>>
> 
> I looked through the logs again - no line with NT_STATUS_UNSUCCESSFUL.
> 
> I found other thing (look below). It says
> ldapsam_getsampwsid: Unable to locate SID
> [S-1-5-21-1376040910-2644421868-2724539926-513]
> Could this be the problem?
> 
I have the same issue on samba 3.4.0. Previously I thought all 
usrmgr.exe's features does not work for Samba, but only for NT 4.0.

The issue comes out when using the latest version 5.2.3790.1127 of 
usrmgr.exe. The previous ones shipped with Windows NT 4.0 Server and 
Windows 2000 Server (4.0.1371.1 and versions 5.0.2195.6601) work well, 
but in both there are no changing time policy setting in the menu of 
policy --> user rights settings group :-)

Allowing Domain Users setting time for their machines via time change 
settings (clock settings on right bottom corner of windows desktop) or 
via logon.bat for example I resolved adding Domain User Group into the 
policy called "Allow user time change" under secpol.msc utility from 
Windows XP Professional workstation.

Moreover using policy settings from usrmgr.exe utility is more elegant 
in my opinion and I would be very grateful to know the issue that not 
allowes to use these policy based settings.

Best regards
Witek

On Thu, Aug 27, 2009 at 3:14 PM, Witold Tosta<witold.tosta at
neostrada.pl> wrote:
> Liutauras Adomaitis pisze:
>>
>> On Wed, Aug 26, 2009 at 6:11 PM, Volker
>> Lendecke<Volker.Lendecke at sernet.de> wrote:
>>>
>>> On Wed, Aug 26, 2009 at 06:05:35PM +0300, Liutauras Adomaitis
wrote:
>>>>
>>>> now size is few times larger. Try it now
>>>> http://www.infosaitas.lt/logas.txt
>>>
>>> Normally a "Device is not functioning" (or so) means an
>>> NT_STATUS_UNSUCCESSFUL error message. I don't see any such
>>> error message in the logs. When *exactly* did the error
>>> happen when you took the log?
>>>
>>
>> I looked through the logs again - no line with NT_STATUS_UNSUCCESSFUL.
>>
>> I found other thing (look below). It says
>> ldapsam_getsampwsid: Unable to locate SID
>> [S-1-5-21-1376040910-2644421868-2724539926-513]
>> Could this be the problem?
>>
>
> I have the same issue on samba 3.4.0. Previously I thought all
usrmgr.exe's
> features does not work for Samba, but only for NT 4.0.
>
> The issue comes out when using the latest version 5.2.3790.1127 of
> usrmgr.exe. The previous ones shipped with Windows NT 4.0 Server and
Windows
> 2000 Server (4.0.1371.1 and versions 5.0.2195.6601) work well, but in both
> there are no changing time policy setting in the menu of policy --> user
> rights settings group :-)
>
> Allowing Domain Users setting time for their machines via time change
> settings (clock settings on right bottom corner of windows desktop) or via
> logon.bat for example I resolved adding Domain User Group into the policy
> called "Allow user time change" under secpol.msc utility from
Windows XP
> Professional workstation.
How did you do that with logon.bat?

Liutauras Adomaitis pisze:
> On Thu, Aug 27, 2009 at 3:14 PM, Witold Tosta<witold.tosta at
neostrada.pl> wrote:
>> Liutauras Adomaitis pisze:
>>> On Wed, Aug 26, 2009 at 6:11 PM, Volker
>>> Lendecke<Volker.Lendecke at sernet.de> wrote:
>>>> On Wed, Aug 26, 2009 at 06:05:35PM +0300, Liutauras Adomaitis
wrote:
>>>>> now size is few times larger. Try it now
>>>>> http://www.infosaitas.lt/logas.txt
>>>> Normally a "Device is not functioning" (or so) means
an
>>>> NT_STATUS_UNSUCCESSFUL error message. I don't see any such
>>>> error message in the logs. When *exactly* did the error
>>>> happen when you took the log?
>>>>
>>> I looked through the logs again - no line with
NT_STATUS_UNSUCCESSFUL.
>>>
>>> I found other thing (look below). It says
>>> ldapsam_getsampwsid: Unable to locate SID
>>> [S-1-5-21-1376040910-2644421868-2724539926-513]
>>> Could this be the problem?
>>>
>> I have the same issue on samba 3.4.0. Previously I thought all
usrmgr.exe's
>> features does not work for Samba, but only for NT 4.0.
>>
>> The issue comes out when using the latest version 5.2.3790.1127 of
>> usrmgr.exe. The previous ones shipped with Windows NT 4.0 Server and
Windows
>> 2000 Server (4.0.1371.1 and versions 5.0.2195.6601) work well, but in
both
>> there are no changing time policy setting in the menu of policy -->
user
>> rights settings group :-)
>>
>> Allowing Domain Users setting time for their machines via time change
>> settings (clock settings on right bottom corner of windows desktop) or
via
>> logon.bat for example I resolved adding Domain User Group into the
policy
>> called "Allow user time change" under secpol.msc utility from
Windows XP
>> Professional workstation.
> 
> How did you do that with logon.bat?
You probably got me wrong :-)
Using the logon.bat (common NT login script) I synchronize the client's 
system time with domain time when client logs into the domain with the 
following command: net time /domain:yourdomainname /set /yes

But only the domain administartors and as far as I know advanced users 
are able to do this. When your user is an administartor or advanced user 
  that's enough, you don't have to change anything else. But if the user
is a domain user you have to add the ability of changing system time to 
computer's local policy (secpol.msc) Otherwise login.bat processing will 
stop and will inform that user doesn't have privilage to change local 
system time. With such statement domain user cannot enter system's clock 
and look at the calendar either, funny isn't it ?

My point was to ask the Honorable Group if there's a possibility to set 
up a domain policy that allows to change user's system time for each 
domain user globally, not only computer's local policy for each computer 
separately.

Best regards.
Witek

> So I change the their local policy setting. Dumb solution, bo I cannot do
> that other way.
Do do it by hand on all computers localy?

Liutauras Adomaitis pisze:
>> So I change the their local policy setting. Dumb solution, bo I cannot
do
>> that other way.
> 
> Do do it by hand on all computers localy?
Unfortunately for now I do it that way :-(

Maybe someone have some civilized solution ?

Witek