FWIW, I believe you'll be experiencing problems with this part of your setup:
Administrators (S-1-5-32-544) -> ntadmin Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin
I don't believe that is legal. Or perhaps it is only illegal if ntadmin is someone's primary group, not secondary. I just fought with this one myself.
Does anyone have a good resource on this?
ntadmin is one of my secondary groups. Anyway, it now works for me. I had to stop samba, delete secrets.tdb and groupmappings.tdb and restart samba, according to:
http://lists.samba.org/archive/samba/2004-August/090343.html
---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III |$&| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
On Fri, 10 Dec 2004, Heinrich Rebehn wrote:
Hi list,
After reading a lot in the mailing list and the official Samba 3 howto, i am still unable to give domain admin rights to a user, so that he gets admin rights on all workstations in the domain.
Here is what i have:
- Samba 3.08 PDC, config:
[global] workgroup = ANT netbios name = ANTSRV netbios aliases = RUN KITS HOMES LIB PRINTERS server string = ANT Samba Server %v
printcap name = /etc/samba/smbprintcap load printers = yes printing = lprng printer admin = @adm
log file = /var/log/samba/log.%m max log size = 50
map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/private/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon path = \\%L\Profiles\%U
<shares removed>
- Client: Vanilla Windows XP professional, SP2, domain member, no special registry settings
- Groups:
[EMAIL PROTECTED] [~] # net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> ntadmin Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-4008939791-1949703945-886196202-513) -> wiss Domain Admins (S-1-5-21-4008939791-1949703945-886196202-512) -> ntadmin Backup Operators (S-1-5-32-551) -> -1 Domain Guests (S-1-5-21-4008939791-1949703945-886196202-514) -> nogroup Users (S-1-5-32-545) -> wiss
[EMAIL PROTECTED] [~] # getent group ntadmin ntadmin:x:1060:rebehn
This should be enough to give user rebehn admin rights on all workstaions in the domain, right?
But it does not work. When i try to partition disks on a workstation, i get a message saying that i do not have the nessecary rights.
Questions: - Did i miss something obvious? - How can i debug on server/client side ?
Thanks for any help.
PS: winbindd is not running. Do i need it? --
--
Heinrich Rebehn
University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications -
Phone : +49/421/218-4664 Fax : -3341 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba