On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: > On 07/17/13 15:02, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal > > <gaiseric.van...@gmail.com> wrote: > > > >> On 07/17/13 14:32, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal > >>> <gaiseric.van...@gmail.com> wrote: > >>> > >>>> According to the net man page > >>>> > >>>> > >>>> In order for Samba to be joined or unjoined remotely an account > >>>> must be > >>>> used that is either member of the Domain Admins group, a member > >>>> of the > >>>> local Administrators group or a user that is granted the > >>>> SeMachineAccountPrivilege privilege. > >>>> > >>>> > >>>> > >>>> > >>>> The simplest thing is probably to have the Domain IT group be a member > >>>> of the local admin group on each machine. I don't know if you would > >>>> need to grant them the SeMachineAccountPrivilege. > >>>> > >>>> > >>>> > >>>> On 07/17/13 09:44, Donny Brooks wrote: > >>>>> > >>>>> > >>>>> > >>>>> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > >>>>> <sa...@marc-muehlfeld.de> wrote: > >>>>> > >>>>>> Hello Donny, > >>>>>> > >>>>>> Am 12.07.2013 21:34, schrieb Donny Brooks: > >>>>>>> On the old domain, which was setup before I got here, > >>>>>> > our IT section was in an ldap group that allowed us to > >>>>>> > join PC's to the domain ... > >>>>>> > >>>>>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > ... and when the prompt came up in windows to > >>>>>> > install software we could log in as ourselves. > >>>>>> > >>>>>> What do you mean by this? Do you want to have a group of users > >>>>>> automatically in the "administrator" group on your workstations? > >>>>>> > >>>>>> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > >>>>>> > >>>>>> If you mean something else, please give some more details. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Regards, > >>>>>> Marc > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> Yes, on the old domain we had all of our IT staff in a group that was > >>>>> able to join pcs to the domain and install software by inputting their > >>>>> domain credentials when prompted. Looking at the first link that is for > >>>>> Samba 4.X. We are on Samba 3.5.10 so that does not apply. > >>>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> Looks like I need to do this here: > >>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > >>> > >>> And map our itgroup to the Domain Admins group. Although we do have a > >>> Domain Admins group in ldap. Should that cause an issue? > >> Group mapping is to make sure Windows groups map to the correct unix > >> group. This is not like mapping a Windows user name to a different > >> unix user name (e.g Windows Administrator = Unix root.) > >> > >> With LDAP, group mapping is usually simpler since the LDAP object for a > >> group usually has the Samba SID and the unix group id. The "net > >> groupmap list" command is useful for validating this. You want to make > >> sure that you do see group mapping for "Domain Admins" and "Domain > >> Users" and other well known groups. You are more likely to have to use > >> the "net groupmap add" command when you don't have LDAP. > >> > >> > >> Well known groups have to specific relative ID's. The domain admin > >> group HAS to have a relative ID of 512 in the SID. You have to make > >> sure the Administrator is in the group. That behavior changes with > >> versions newer than 3.0.x > >> > >> > >> > >> > >> #net groupmap list > >> .... > >> Domain Admins (S-1-5-21-xxxx-xxxxx-xxxxx-512) -> Domain Admins > >> ... > >> # getent group "Domain Admins" > >> Domain Admins::512:Administrator > >> # > >> > >> > >> I don't think you have a samba issue. I think you have a general > >> "windows" issue about the most practical way to provide IT group with > >> sufficient privileges to manage computers with out giving too much access. > >> > >> > >> Depending on the size of your IT department, and the necessity to > >> audit/control you makes what change, each IT user may need two accounts, > >> one that is a regular account and one that is a member of the domain > >> admins and local admins group. (e.g. donny and donny_admin.) this > >> way they can do whatever they need, but they don't run as admin for > >> routine tasks, and you can track who made what change (if need be) or > >> limit who has full admin rights. > >> > >> > >> > >> > >> > > > > > > It is correctly mapped and is 512. Nothing changed on the windows side > > during the domain change other than removing the machines from the old > > domain and rejoining them to the new one. We don't have to have the > > accounting trail that two accounts would give us right now. I just want to > > be able to tell my other people they can join computers to the domain and > > perform software upgrades with their own credentials. > > > OK > I am looking at your original post again. I don't think you said > which version you had been using. > > net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S > enterprise -U superusername > > > > Is the superuser name the domain Administrator account? The problem > seems to involve the superusername user, not the Domain Admins > group. I think with older version of samba, the Administrator > account was implicit, and you could map the windows Administrator to > the unix root account and all was OK. With the current version I think > you need you create an Administrator samba user (it doesn't have to be > called Administrator but I would do that just to keep things simple) and > add that user to the Domain Admins group. > > Does "pdbedit -Lv Administrator" or "pbedit -Lv superusername" work? > > You could add the user IT users to the domain admins group. Then you > have all the privileges you need. You should NOT need to grant > SeMachineAccountPrivilege to the Domain Admins group. > > Can you post a sanitized version of the Domain Admin group LDIF? > > > > Yes the "pdbedit -Lv root" returns properly. The super user name is root as that is how it was setup by the guy we contracted to do it. I have added myself to the Domain Admins group but still unable to join a pc to the domain or install software. Here is the Domain Admins LDIF:
# Entry 1: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us dn: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us cn: Domain Admins description: Domain Administrators displayname: Domain Admins gidnumber: 512 memberuid: root memberuid: dbrooks memberuid: jomiles objectclass: posixGroup objectclass: sambaGroupMapping sambagrouptype: 2 sambasid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-512 -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba