Hello,
I've build a domain with Samba 3.0.23 and sucessfully joined this domain
with a Windows-XP-Machine. I can log in to that machine as User
"Root",
wich is in the Group "Domain Admins" (rid=512). But I have no
admin-rights on that machine.
Also, normal User can not log in over the Remotesession (RDP).
Can anybody help me to figure out why?
Here is my smb.conf:
[global]
server string = b-login
workgroup = marco
; speed optimierungen
socket options = TCP_NODELAY
share modes = no
debug level = 10
debug uid = yes
getwd cache = yes
; read size = 65536
preserve case = yes
log level = 10
printer admin = ds
domain logons = yes
domain master = yes
local master = Yes
preferred master = Yes
ldap admin dn = cn=Administrator,dc=marco,dc=de
ldap delete dn = No
ldap group suffix = ou=group
ldap ssl = off
ldap suffix = dc=marco,dc=de
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=idmap
; ldap passwd sync = yes
logon path = \\%L\%U\.ntprofile
logon home = \\%L\%U\.ntprofile
logon drive = H:
passdb backend = ldapsam:"ldap://10.3.1.3"
security = user
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
printing = cups
printcap name = cups
printcap cache time = 750
cups options smb ports = 139
local master = no
kernel oplocks = No
; ----- same as "umask 2"
create mask = 0775
; ----- disconnect after N minutes inactive
dead time = 300
; ----- check whether clients are alive [seconds]
keep alive = 300
; ----- may delete readonly files
delete readonly = yes
; ----- logfiles grow up to N kByte
; max log size = 100
; ----- don't map archive bit to execute bit
map archive = no
; ----- "umask 2" setting for files and directories
create mask = 0775
directory mask = 0775
; ----- WINS support
; note: on SuSE 8samba is patched so that
; if (wins server == localhost)
; wins support = yes
; preferred master = yes
; os level >= 32
;
wins server = gate
name resolve order = wins host bcast
security = user
netbios aliases = homedirs
Regards
Daniel
--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds at marco.de
Gesch?ftsf?hrer Martin Reuter HRB 171775 Amtsgericht M?nchen
Daniel Spannbauer schrieb:> Hello, > > I've build a domain with Samba 3.0.23 and sucessfully joined this domain > with a Windows-XP-Machine. I can log in to that machine as User "Root", > wich is in the Group "Domain Admins" (rid=512). But I have no > admin-rights on that machine. > Also, normal User can not log in over the Remotesession (RDP). > > Can anybody help me to figure out why? > > Here is my smb.conf: > > > > [global] > server string = b-login > workgroup = marco > ; speed optimierungen > socket options = TCP_NODELAY > share modes = no > debug level = 10 > debug uid = yes > getwd cache = yes > ; read size = 65536 > preserve case = yes > log level = 10 > > printer admin = ds > domain logons = yes > domain master = yes > local master = Yes > preferred master = Yes > ldap admin dn = cn=Administrator,dc=marco,dc=de > ldap delete dn = No > ldap group suffix = ou=group > ldap ssl = off > ldap suffix = dc=marco,dc=de > ldap user suffix = ou=people > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=idmap > ; ldap passwd sync = yes > logon path = \\%L\%U\.ntprofile > logon home = \\%L\%U\.ntprofile > logon drive = H: > passdb backend = ldapsam:"ldap://10.3.1.3" > security = user > add machine script = /usr/sbin/useradd -c Machine -d > /var/lib/nobody -s /bin/false %m$ > printing = cups > printcap name = cups > printcap cache time = 750 > cups options > smb ports = 139 > local master = no > kernel oplocks = No > > ; ----- same as "umask 2" > create mask = 0775 > ; ----- disconnect after N minutes inactive > dead time = 300 > ; ----- check whether clients are alive [seconds] > keep alive = 300 > ; ----- may delete readonly files > delete readonly = yes > ; ----- logfiles grow up to N kByte > ; max log size = 100 > ; ----- don't map archive bit to execute bit > map archive = no > ; ----- "umask 2" setting for files and directories > create mask = 0775 > directory mask = 0775 > ; ----- WINS support > ; note: on SuSE 8samba is patched so that > ; if (wins server == localhost) > ; wins support = yes > ; preferred master = yes > ; os level >= 32 > ; > > wins server = gate > > name resolve order = wins host bcast > > security = user > > netbios aliases = homedirsHmmm, when I log in on the Workstation as Administrator (which is mapped to User root) then I get a Groupsid which ends to 513, so I get as Administrator the Rights of the normals Domain USer. But in LDAP the PrimaryGroupSid for root is set to 512 (DomainAdmins). In the Group-Entry for the Group of the DomainAdmins root is also in MemberUID. Can anybody tell me why the PrimaryGropSid isn't used by samba? Regards Daniel> > > Regards > > Daniel >-- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds at marco.de Gesch?ftsf?hrer Martin Reuter HRB 171775 Amtsgericht M?nchen