On Wednesday, July 17, 2013 04:33 PM CDT, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: > On 07/17/13 16:12, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal > > <gaiseric.van...@gmail.com> wrote: > > > >> On 07/17/13 15:02, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal > >>> <gaiseric.van...@gmail.com> wrote: > >>> > >>>> On 07/17/13 14:32, Donny Brooks wrote: > >>>>> > >>>>> > >>>>> > >>>>> On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal > >>>>> <gaiseric.van...@gmail.com> wrote: > >>>>> > >>>>>> According to the net man page > >>>>>> > >>>>>> > >>>>>> In order for Samba to be joined or unjoined remotely an > >>>>>> account > >>>>>> must be > >>>>>> used that is either member of the Domain Admins group, a > >>>>>> member > >>>>>> of the > >>>>>> local Administrators group or a user that is granted the > >>>>>> SeMachineAccountPrivilege privilege. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> The simplest thing is probably to have the Domain IT group be a member > >>>>>> of the local admin group on each machine. I don't know if you would > >>>>>> need to grant them the SeMachineAccountPrivilege. > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 07/17/13 09:44, Donny Brooks wrote: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > >>>>>>> <sa...@marc-muehlfeld.de> wrote: > >>>>>>> > >>>>>>>> Hello Donny, > >>>>>>>> > >>>>>>>> Am 12.07.2013 21:34, schrieb Donny Brooks: > >>>>>>>>> On the old domain, which was setup before I got here, > >>>>>>>> > our IT section was in an ldap group that allowed us to > >>>>>>>> > join PC's to the domain ... > >>>>>>>> > >>>>>>>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > ... and when the prompt came up in windows to > >>>>>>>> > install software we could log in as ourselves. > >>>>>>>> > >>>>>>>> What do you mean by this? Do you want to have a group of users > >>>>>>>> automatically in the "administrator" group on your workstations? > >>>>>>>> > >>>>>>>> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > >>>>>>>> > >>>>>>>> If you mean something else, please give some more details. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Marc > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> Yes, on the old domain we had all of our IT staff in a group that was > >>>>>>> able to join pcs to the domain and install software by inputting > >>>>>>> their domain credentials when prompted. Looking at the first link > >>>>>>> that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. > >>>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>>> Looks like I need to do this here: > >>>>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > >>>>> > >>>>> And map our itgroup to the Domain Admins group. Although we do have a > >>>>> Domain Admins group in ldap. Should that cause an issue? > >>>> Group mapping is to make sure Windows groups map to the correct unix > >>>> group. This is not like mapping a Windows user name to a different > >>>> unix user name (e.g Windows Administrator = Unix root.) > >>>> > >>>> With LDAP, group mapping is usually simpler since the LDAP object for a > >>>> group usually has the Samba SID and the unix group id. The "net > >>>> groupmap list" command is useful for validating this. You want to make > >>>> sure that you do see group mapping for "Domain Admins" and "Domain > >>>> Users" and other well known groups. You are more likely to have to use > >>>> the "net groupmap add" command when you don't have LDAP. > >>>> > >>>> > >>>> Well known groups have to specific relative ID's. The domain admin > >>>> group HAS to have a relative ID of 512 in the SID. You have to make > >>>> sure the Administrator is in the group. That behavior changes with > >>>> versions newer than 3.0.x > >>>> > >>>> > >>>> > >>>> > >>>> #net groupmap list > >>>> .... > >>>> Domain Admins (S-1-5-21-xxxx-xxxxx-xxxxx-512) -> Domain Admins > >>>> ... > >>>> # getent group "Domain Admins" > >>>> Domain Admins::512:Administrator > >>>> # > >>>> > >>>> > >>>> I don't think you have a samba issue. I think you have a general > >>>> "windows" issue about the most practical way to provide IT group with > >>>> sufficient privileges to manage computers with out giving too much > >>>> access. > >>>> > >>>> > >>>> Depending on the size of your IT department, and the necessity to > >>>> audit/control you makes what change, each IT user may need two accounts, > >>>> one that is a regular account and one that is a member of the domain > >>>> admins and local admins group. (e.g. donny and donny_admin.) this > >>>> way they can do whatever they need, but they don't run as admin for > >>>> routine tasks, and you can track who made what change (if need be) or > >>>> limit who has full admin rights. > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> It is correctly mapped and is 512. Nothing changed on the windows side > >>> during the domain change other than removing the machines from the old > >>> domain and rejoining them to the new one. We don't have to have the > >>> accounting trail that two accounts would give us right now. I just want > >>> to be able to tell my other people they can join computers to the domain > >>> and perform software upgrades with their own credentials. > >> > >> OK > >> I am looking at your original post again. I don't think you said > >> which version you had been using. > >> > >> net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S > >> enterprise -U superusername > >> > >> > >> > >> Is the superuser name the domain Administrator account? The problem > >> seems to involve the superusername user, not the Domain Admins > >> group. I think with older version of samba, the Administrator > >> account was implicit, and you could map the windows Administrator to > >> the unix root account and all was OK. With the current version I think > >> you need you create an Administrator samba user (it doesn't have to be > >> called Administrator but I would do that just to keep things simple) and > >> add that user to the Domain Admins group. > >> > >> Does "pdbedit -Lv Administrator" or "pbedit -Lv superusername" work? > >> > >> You could add the user IT users to the domain admins group. Then you > >> have all the privileges you need. You should NOT need to grant > >> SeMachineAccountPrivilege to the Domain Admins group. > >> > >> Can you post a sanitized version of the Domain Admin group LDIF? > >> > >> > >> > >> > > > > Yes the "pdbedit -Lv root" returns properly. The super user name is root as > > that is how it was setup by the guy we contracted to do it. I have added > > myself to the Domain Admins group but still unable to join a pc to the > > domain or install software. Here is the Domain Admins LDIF: > > > > # Entry 1: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us > > dn: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us > > cn: Domain Admins > > description: Domain Administrators > > displayname: Domain Admins > > gidnumber: 512 > > memberuid: root > > memberuid: dbrooks > > memberuid: jomiles > > objectclass: posixGroup > > objectclass: sambaGroupMapping > > sambagrouptype: 2 > > sambasid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-512 > > > > > > That is how my Domain Admin is set up in LDAP as well. > > You might want to try > > net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S > enterprise -U MDAH\\root > > > > And, although I don't see how in theory it really should matter you > might want to create a user actually called "Administrator" who is in > the Domain Admins group AND has Domain Admins as the default group. > > The online samba documentation is a little out of date but suggests that > you should not have grant rights for Domain Admins anyway. (I think I > had done this anyway when I moved to 3.4.x from 3.0.x) > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.htm > > > If you log into a Windows domain member machine as MDAH/root, can you > do local admin things? E.g. create local users ? When I upgraded > from 3.0.x to 3.4.x somehow I lost my group mappings and didn't recreate > them properly (I got the gid's reversed between two groups.) I found > that the domain administrator lost all the local admin rights on member > windows machines. Setting Se* rights didn't help. I then finally found > that I had screwed up the groups. The long and short being I think you > have a groups issue not a Se rights issue. > > What does the following show? > > # net rpc user info root -U MDAH\\root > # net rpc group members "Domain Admins" -U MDAH\\root > > > It might flush out some issues. > > > > > > > > > > >
Starting to get somewhere I believe: [root@enterprise ~]# net rpc user info root -U MDAH\\root Enter MDAH\root's password: (null) informix [root@enterprise ~]# net rpc group members "Domain Admins" -U MDAH\\root Enter MDAH\root's password: Couldn't find group Domain Admins [root@enterprise ~]# And when I do the first suggested net rpc grant command it fails with: Failed to grant privileges for MDAH\Domain Admins (NT_STATUS_NO_SUCH_USER). I will dig into it more in the morning. It is quitting time here. :) -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
