Hello all, Im Fran, and im from Spain. Im currently using an english book to setup my samba server, and im having problems understanding it. I explain my problem. I dont want to use root to join clients to the domain; i prefer creating a plain user. Ok, so, the steps i follow are: net groupmap add unixgroup=srvadmins ntgroup="Server Admins" net groupmap add ntgroup="Domain Admins" unixgroup=dmnadmins rid=512 type=d net rpc rights grant 'ORA\Server Admins' seMachineAccountPrivilege Now, users: "root", "dmnadmin"(from dmnadmins group) and "srvadmin" (from srvadmins group) can add machines to domain. So i wonder, why srvadmins group is needed to be granted privileges? I tryed to lower dmnadmins privileges by revoking semachineaccountprivilege privilege, but didnt worked, and it user managed to add a machine to the domain correctly. Ok, so, is this really usefull? why do i need 3 kind of users to be able to join to the domain? should i really stick to using root to join clients? thank you -- Fran Del Val Dpto de inform?tica. Rojatex S.L.
Hallo, fdelval, Du meintest am 03.02.11:> I dont want to use root to join clients to the domain; i prefer > creating a plain user.Look at "admin users" in "[global", file "/etc/samba/smb.conf". There you can define which linux user is allowed to do this job. Viele Gruesse! Helmut
Hello mate, I added it, with a simple user, and yes, it worked. Now, doubs storm my mind. now i have like 3 ways of achieving what i want. 1) username map = /etc/samba/smbusers (linking users to root) 2) admin users = frank 3) messing up with my netgroups and granting rights Which one should i use? Which one offers the most secure way?> Hallo, fdelval, > > Du meintest am 03.02.11: > >> I dont want to use root to join clients to the domain; i prefer >> creating a plain user. > > Look at "admin users" in "[global", file "/etc/samba/smb.conf". > > There you can define which linux user is allowed to do this job. > > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Fran Del Val Dpto de inform?tica. Rojatex S.L.
Hi, as usual there are several ways to accomplish what you're looking for. This is what I prefer - "netgroups and granting rights", because 1) username map = /etc/samba/smbusers (linking users to root) IMHO the really old style for those who don't know a better way. You shouldn't grant admin-rights this way. 2) admin users = frank Somehow better than 1) but also a short-term solution you shouldn't use. 3) messing up with my netgroups and granting rights IMHO it's not "messing with" but the only way to grant user-rights and priviliges. It's more complex and you need to think about it ini advance, but it's a propper long-term solution. Check out the official samba-howto - chapter 15/16: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html Cheers, Christian ==========================================================Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstra?e 45 44534 L?nen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de --------Helmut Hullen <Hullen at t-online.de> wrote-------- Subject: Re: [Samba] understanding users mapping Date: 03.02.2011 13:56>Hallo, fdelval, > >Du meintest am 03.02.11 zum Thema Re: [Samba] understanding users mapping: > >> now i have like 3 ways of achieving what i want. > >> 1) username map = /etc/samba/smbusers (linking users to root) > >> 2) admin users = frank > >> 3) messing up with my netgroups and granting rights > > >> Which one should i use? > >I prefer "admin users" in the "smb.conf". Don't know wether it is the >best of all possible solutions. > >Viele Gruesse! >Helmut >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Please CC to samba list. 2011/2/4 <fdelval at rojatex.com>:> root has adding machines privileges because root has all powers in linux > and sambaYes, root (uid=0) has natively all rights on Samba.> Domain Admins has privileges because that group already had privileges in > windows, and samba understand thatYes, rid=512 is reserved for "Domain Admins" and "Domain Admins" has the rights natively.> srvadmins has rights because i granted them with the net rpc privileges.Yes. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Hello all, I wanted something to enhace my roaming profiles from a samba server. As well as users saving its config into my server, i would like to give them a primary setup, by automatically creating some desktop shortcuts, or creating a corporative background image for all. I think i have 2 options, but i cant find a decent howto, and it seems that i must use a microsoft tool. system policies logon scripts Is this necessary? i mean, is it possible to make my users a custom background image and some desktop icons? If so, guide me or show me a starting point. Much appreciated. -- Fran Del Val Dpto de inform?tica. Rojatex S.L.
2011/2/8 <fdelval at rojatex.com>:> I wanted something to enhace my roaming profiles from a samba server. > As well as users saving its config into my server, i would like to give > them a primary setup, by automatically creating some desktop shortcuts, or > creating a corporative background image for all. > > I think i have 2 options, but i cant find a decent howto, and it seems > that i must use a microsoft tool. > > system policies > logon scripts > > Is this necessary? i mean, is it possible to make my users a custom > background image and some desktop icons?For a custom backgroup image, you had better use system policies. For some desktop icons, you had better use logon scripts. You can use a default profile but I do not recommend. To manupulate a default profile is something difficult. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
poledit.exe ok, i take notes. I suppose i should download it in every client pc? and what about logon scripts? do i forget about them? thanks> On Tue, Feb 8, 2011 at 3:49 PM, <fdelval at rojatex.com> wrote: >> >> >> Hello all, >> >> I wanted something to enhace my roaming profiles from a samba server. >> As well as users saving its config into my server, i would like to give >> them a primary setup, by automatically creating some desktop shortcuts, >> or >> creating a corporative background image for all. >> >> I think i have 2 options, but i cant find a decent howto, and it seems >> that i must use a microsoft tool. >> >> system policies >> logon scripts >> >> >> Is this necessary? i mean, is it possible to make my users a custom >> background image and some desktop icons? >> >> If so, guide me or show me a starting point. >> >> >> Much appreciated. >> >> >> -- >> Fran Del Val >> Dpto de inform?tica. >> Rojatex S.L. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: ?https://lists.samba.org/mailman/options/samba >> > > for winNT4 you can use poledit.exe tool to create policy files. It > will modify registry according to your needs. It worked for me for > these purposes on winxp machines. > > Liutauras >-- Fran Del Val Dpto de inform?tica. Rojatex S.L.
2011/2/9 <fdelval at rojatex.com>:> poledit.exe > ok, i take notes. > I suppose i should download it in every client pc?No, poledit is used to create NTconfig.pol file.> and what about logon scripts? do i forget about them?As Liutauras said: It will modify registry according to your needs. basically, settings stored in registry can be managed with system policy. The backgroup image file name is stored in registry, but shortcuts are not. Anyway these knowledge are applied not only to Samba but also to NT domain. So you had better search into knowledge how to manage NT domain. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Kind of dificult, dark, and poorly documented task, isnt it? While i found docens of samba config manuals and examples, i cant find info about a logon script. I had to get the poledit.exe from a Service Pack from w2000... too much complexity for placing a desktop shortcut. Is this the only way? Oh, and Takahashi, i had an unanswered question from my last doub. Would you be kind to answer here even if its not the topic? I can only "automatically map" unix admins - nt domain admins unix users - nt domain users the other groups i create, must be added manually in each windows client to each DOMAIN/unix-group, right? thank you> 2011/2/9 <fdelval at rojatex.com>: >> poledit.exe >> ok, i take notes. >> I suppose i should download it in every client pc? > > No, poledit is used to create NTconfig.pol file. > >> and what about logon scripts? do i forget about them? > > As Liutauras said: > It will modify registry according to your needs. > basically, settings stored in registry can be managed > with system policy. > > The backgroup image file name is stored in registry, > but shortcuts are not. > > Anyway these knowledge are applied not only to Samba but > also to NT domain. So you had better search into knowledge > how to manage NT domain. > > --- > TAKAHASHI Motonobu <monyo at samba.gr.jp> >-- Fran Del Val Dpto de inform?tica. Rojatex S.L.
2011/2/9 <fdelval at rojatex.com>:> Kind of dificult, dark, and poorly documented task, isnt it? > > While i found docens of samba config manuals and examples, i cant find > info about a logon script. > I had to get the poledit.exe from a Service Pack from w2000... > > too much complexity for placing a desktop shortcut. > > Is this the only way?To create logon script and NTconfig.pol is basically the work on Windows side. At the view of Samba, to create NETLOGON share and to put NTconfig.pol already created on Windows is the only work about system policy. Also to specify the name of logon script in smb.conf and putting proper logon script to proper path is about logon script. Basically you had better search these topics into Windows documents. Remember that system policy is suitable for NT4, so you should search in old docs.> Oh, and Takahashi, i had an unanswered question from my last doub. Would > you be kind to answer here even if its not the topic? > > I can only "automatically map" > unix admins - nt domain admins > unix users - nt domain users > > the other groups i create, must be added manually in each windows client > to each DOMAIN/unix-group, right?If you can use GPO, you can add any domain groups to local groups automatically. But unfortunately Samba 3 domain does not support GPO. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
pdbedit lets you set the login script and various "windows" variables for each user. smb.conf sets the netlogon share path. The actual syntax of a login script is for of a windows question. I would look at (or google for) the Microsoft documentation on this. You should be able to have if/then statements to map things differently depending on primary group membership. # pdbedit -Lv someuser .... Logon Script: logon.bat Home Directory: \\server1\users\someuser HomeDir Drive: # # cd /export/samba/netlogon # more logon.bat net use x: /delete /y net use x: %homeshare% net use p: /delete /y net use r: /delete /y net use r: \\server1\dept net use y: /delete /y net use y: \\server1\users On 02/09/2011 04:24 AM, fdelval at rojatex.com wrote:> > Kind of dificult, dark, and poorly documented task, isnt it? > > While i found docens of samba config manuals and examples, i cant find > info about a logon script. > I had to get the poledit.exe from a Service Pack from w2000... > > too much complexity for placing a desktop shortcut. > > > Is this the only way? > > > > Oh, and Takahashi, i had an unanswered question from my last doub. Would > you be kind to answer here even if its not the topic? > > I can only "automatically map" > unix admins - nt domain admins > unix users - nt domain users > > the other groups i create, must be added manually in each windows client > to each DOMAIN/unix-group, right? > > > thank you > > > > > > > >> 2011/2/9<fdelval at rojatex.com>: >> >>> poledit.exe >>> ok, i take notes. >>> I suppose i should download it in every client pc? >>> >> No, poledit is used to create NTconfig.pol file. >> >> >>> and what about logon scripts? do i forget about them? >>> >> As Liutauras said: >> It will modify registry according to your needs. >> basically, settings stored in registry can be managed >> with system policy. >> >> The backgroup image file name is stored in registry, >> but shortcuts are not. >> >> Anyway these knowledge are applied not only to Samba but >> also to NT domain. So you had better search into knowledge >> how to manage NT domain. >> >> --- >> TAKAHASHI Motonobu<monyo at samba.gr.jp> >> >> > >
As long as you are guessing around gpos you better take a look at samba4 and a samba3 member server Making the things samba4 is yet not willing to do. ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von TAKAHASHI Motonobu Gesendet: Mittwoch, 9. Februar 2011 16:23 An: fdelval at rojatex.com Cc: samba at lists.samba.org Betreff: Re: [Samba] samba policies? logon scripts? 2011/2/9 <fdelval at rojatex.com>:> Kind of dificult, dark, and poorly documented task, isnt it? > > While i found docens of samba config manuals and examples, i cant find > info about a logon script. > I had to get the poledit.exe from a Service Pack from w2000... > > too much complexity for placing a desktop shortcut. > > Is this the only way?To create logon script and NTconfig.pol is basically the work on Windows side. At the view of Samba, to create NETLOGON share and to put NTconfig.pol already created on Windows is the only work about system policy. Also to specify the name of logon script in smb.conf and putting proper logon script to proper path is about logon script. Basically you had better search these topics into Windows documents. Remember that system policy is suitable for NT4, so you should search in old docs.> Oh, and Takahashi, i had an unanswered question from my last doub. Would > you be kind to answer here even if its not the topic? > > I can only "automatically map" > unix admins - nt domain admins > unix users - nt domain users > > the other groups i create, must be added manually in each windows client > to each DOMAIN/unix-group, right?If you can use GPO, you can add any domain groups to local groups automatically. But unfortunately Samba 3 domain does not support GPO. --- TAKAHASHI Motonobu <monyo at samba.gr.jp> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Just to be sure. Only groups "Domain admins" and "Domain users" are mapped linux-windows automatically if unix groups do exist. The other groups must be linked manually in windows users and groups management. For example: Windows remote desktop users group add- myunixdomain\remoteUsers Is it ok?> 2011/2/4 <fdelval at rojatex.com>: >> I went to the XP i had joined to the domain, and i went to "user and >> groups management" (right click, properties over my pc -> management) >> There, i see that Domain admins is automatically mapped. >> And windows "users" group is mapped to ? MYDOMAIN\none ?automatically >> aswell, although i doub if thats correct. >> But the other arent. > > When a Windows workstation including Windows XP has joined to a domain, > "Domain Admins" and "Domain Users" always joined to its Administrators > and Users respectively. > > This behavior is a part of Windows workstation implementation. Samba has > nothing to do with it. > > Why MYDOMAIN\none joined to Users is that you have not created "Domain > Users". > > -- > TAKAHASHI Motonobu <monyo at samba.gr.jp> >-- Fran Del Val Dpto de inform?tica. Rojatex S.L.
2011/2/12 <fdelval at rojatex.com>:> Only groups "Domain admins" and "Domain users" are mapped linux-windows > automatically if unix groups do exist. > > The other groups must be linked manually in windows users and groups > management.(snip)> Is it ok?Yes, it comes from the implementation of Windows. At Active Directory (or Samba 4), you can link them automatically with GPO, but Samba 3 (or NT4) domain does not have support for GPO. -- TAKAHASHI Motonobu <monyo at samba.gr.jp>