Re: [Samba] domain admins not being applied to windows box

2004-08-03 Thread Conrad Wood
D'uh!
Thanks for pointing that out ;)
It works well now.
The bit that got me confused was section 11.2 in the
samba manual. The sample commands there, if typed in as they are,
actually create another "Domain Admins" group ;(
Maybe that could be explained a bit better, such as

 section 11.2 ***
3. Create the "Domain Admins" group and map it to the
unixgroup domadm by running...


Thanks a lot,

Conrad

On Tue, 2004-08-03 at 13:36, Paul Gienger wrote:
> If you look at your group mapping list, you have duplicates for Domain 
> Users and Domain Admins.  Delete these mappings with the net groupmap 
> command (you may have to delete each twice) and then re-add them.  The 
> SIDs should be the -5xx ones, not -1219 or -3005
> 
> Conrad Wood wrote:
> 
> >Hi,
> >
> >I have recently upgaded from samba 2.2 to samba 3.0.
> >I used to have "domain admin group = @winadmin" in my smb.conf,
> >but I understand from the documentation that it is deprecated
> >in favour of 
> >"net groupmap set "Domain Admin" winadmin".
> >
> >I would expect unix users who are members of the
> >unix group winadmin to become Domain Admins, then,
> >but they don't ?.
> >
> >Do I understand this correctly that unix users
> >that are a member of the unix group winadmin
> >then will be "advertised" as being a member of
> >the NT Group "Domain Admins" to windows machines?
> >The windows box applies whatever permissions the
> >"Domain Admins" have for this box, by default "Administrator"?
> >
> >My server is a debian gnu/linux box in a test environment.
> >My windows machine(s) are run within vmware, windows XP and 2k.
> >
> >Details:
> >
> >* snip **
> >on the server the groupmapping is as follows:
> >[EMAIL PROTECTED]:~# net groupmap list
> >System Operators (S-1-5-32-549) -> -1
> >Replicators (S-1-5-32-552) -> -1
> >Guests (S-1-5-32-546) -> -1
> >Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
> >Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
> >Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
> >Power Users (S-1-5-32-547) -> -1
> >Print Operators (S-1-5-32-550) -> -1
> >Administrators (S-1-5-32-544) -> winadmin
> >Account Operators (S-1-5-32-548) -> -1
> >Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
> >Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
> >Backup Operators (S-1-5-32-551) -> -1
> >Users (S-1-5-32-545) -> winadmin
> >
> >
> >On windows it seems to accept that ish:
> >(intented to copy and paste from a msdos box but failed miserably
> >so here's the written out extract ;) )
> >c:\>net user cnw /DOMAIN
> > blurb
> >Local Group Memberships   *dialout <- WTF???
> >Global Group memberships   *Domain Users *Domain Admins
> >The command completed sucessfully.
> >c:\>
> >
> >*
> >
> >Doesn't above mean I should be administrator (when logged in
> >as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
> >However, if I try to open the TCP/IP properties windows tells me
> >that I do not have access...
> >
> >I am new to samba 3.0 and so far only read the publicly available
> >documentation, so I would like to double check whether I understand
> >this correctly.
> >
> >Thank you,
> >
> >Conrad
> >
> >
> >
> >  
> >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


[Samba] domain admins not being applied to windows box

2004-08-03 Thread Conrad Wood
Hi,

I have recently upgaded from samba 2.2 to samba 3.0.
I used to have "domain admin group = @winadmin" in my smb.conf,
but I understand from the documentation that it is deprecated
in favour of 
"net groupmap set "Domain Admin" winadmin".

I would expect unix users who are members of the
unix group winadmin to become Domain Admins, then,
but they don't ?.

Do I understand this correctly that unix users
that are a member of the unix group winadmin
then will be "advertised" as being a member of
the NT Group "Domain Admins" to windows machines?
The windows box applies whatever permissions the
"Domain Admins" have for this box, by default "Administrator"?

My server is a debian gnu/linux box in a test environment.
My windows machine(s) are run within vmware, windows XP and 2k.

Details:

* snip **
on the server the groupmapping is as follows:
[EMAIL PROTECTED]:~# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-520677601-194623159-390525435-513) -> cnw
Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) -> winadmin
Domain Users (S-1-5-21-520677601-194623159-390525435-3005) -> cnw
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> winadmin
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-520677601-194623159-390525435-514) -> -1
Domain Admins (S-1-5-21-520677601-194623159-390525435-512) -> winadmin
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> winadmin


On windows it seems to accept that ish:
(intented to copy and paste from a msdos box but failed miserably
so here's the written out extract ;) )
c:\>net user cnw /DOMAIN
 blurb
Local Group Memberships   *dialout <- WTF???
Global Group memberships   *Domain Users *Domain Admins
The command completed sucessfully.
c:\>

*

Doesn't above mean I should be administrator (when logged in
as cnw)? (And before you ask, cnw *is* a member of winadmin ;) )
However, if I try to open the TCP/IP properties windows tells me
that I do not have access...

I am new to samba 3.0 and so far only read the publicly available
documentation, so I would like to double check whether I understand
this correctly.

Thank you,

Conrad



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba