Re: [Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC

[steve]

On Fri, 2013-05-31 at 12:56 +0100, Alex Matthews wrote:
> Hi all,
> 
> I have a samba server as member of an AD DC.
> In said AD DC there is the 'administrator' user which has the default 
> UID of 0 (the same as root)
> from the ADDC:
> 
> # id administrator
> uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain 
> Users),305(SMC\Group Policy Creator Owners),309(SMC\Enterprise 
> Admins),512(SMC\Domain Admins),307(SMC\Schema Admins)
> 
> from the member server:
> # id administrator
> id: administrator: no such user

Map it to root:

[global]
...
username map = /path/to/usermap
...

with /path/to/usermap having something like:
root = SMC\\administrator SMC\administrator

(not sure about the backslashes so I've put both possibilities)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC

[Alex Matthews]

Hi all,

I have a samba server as member of an AD DC.
In said AD DC there is the 'administrator' user which has the default 
UID of 0 (the same as root)

from the ADDC:

# id administrator
uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain 
Users),305(SMC\Group Policy Creator Owners),309(SMC\Enterprise 
Admins),512(SMC\Domain Admins),307(SMC\Schema Admins)


from the member server:
# id administrator
id: administrator: no such user

It also does not appear in wbinfo -u or getent passwd

The issue is that if I log on to a windows machine as the administrator 
user I cannot access a share on the member server as it does not 
authenticate.


my smb.conf is pretty simple:

[global]
workgroup = SMC
realm = internal.stmaryscollege.co.uk
netbios name = PVE-ARCH-S3-02
security = ADS
encrypt passwords = yes
server role = MEMBER SERVER

idmap config *:backend = tdb
idmap config *:range = 70001-8
idmap config SMC:backend = ad
idmap config SMC:schema_mode = rfc2307
idmap config SMC:range = 0-4

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

(Note: I changed the idmap config SMC:range to include '0' as I thought 
this might encourage samba to idmap the root user... but no dice...)



Thanks,

Alex

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Administrator cannot connect to samba on 2008 R2 ADS members

[Bruce Richardson]

I have an odd situation where Samba 3.x domain members in an Active
Directory 2008 R2 domain cannot authenticate the Administrator.  All
other users work, but if I try to connect to the samba services as the
domain Administrator, authentication fails.  The Windows domain
controllers are happy to accept connections from the Administrator (e.g.
using smbclient) but the Linux (Centos 5.5 and 5.6) domain members are
not (I have encountered this problem with both Samba 3.3.8 and 3.5.4).

Direct kerberos authentication using the Administrator account works
just fine, as does ldap authentication (I am using ldap rather than
winbind in nsswitch.conf and I can ssh into the Linux domain members
just fine as the Administrator).  

I can attach detailed logs if wanted, but am not sure which detail is
relevant.  Here's the smb.conf:

#=== Global Settings =

[global]

workgroup = HQ
realm = HQ.CORP.COM
server string = 
# --- Domain Members Options 

security = ADS
passdb backend = tdbsam

# - Winbind Options --

client ldap sasl wrapping = seal
idmap backend = tdb
idmap uid = 1-1
idmap gid = 1-1
idmap config HQ : backend = ad
idmap config HQ : range = 1-1
winbind nss info = rfc2307

-- 
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Administrator can not see network shaes

[MargoAndTodd]

Hi All,

I am upgrading my Samba server to a PDC.  On my
test bed, I have a M$ Windows 2008 server (no *dc
anything).

This server can look at network shares with any
user, except the Administrator.  When I browse
a file share as administrator, Windows asks me
for my user name and password.  It reject all
users, user or administrator.  I have tested
by logging out as administrator and logging
back in as one of the rejected users (and it
woks perfectly).  Samba's logs are complete
quiet when the users are being rejected.

What am I doing wrong?

Many thanks,
-T

$ cat smbusers
# Unix_name = SMB_name1 SMB_name2 ...
# Escape names with spaces in them with quotes
root = administrator admin
nobody = guest pcguest smbguest
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Administrator Maps winbind GID to 100 (sys)

[Eric Roseme]

Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS 
Server), "security=ADS" to W2003R2 domain, winbind running with "idmap 
backend = rid:", and "root = DOMAIN+Administrator" in username.map.


From Administrator on a domain Vista client, using Explore to map a 
share and then set an ACL from Properties/Security/Permissions, I choose 
a Windows group from the list to add to the directory ACL.  The winbind 
GID is 12011.  The correct groupname is displayed in the Explorer 
window, but when doing a getacl from unix, the GID is 100, or sys - the 
Administrator home group.


So I went to /var/opt/samba/locks and deleted all of the cache files and 
restarted - same result.


If I set the directory to a different owner, and add the same GID with a 
different client user, then the correct winbind GID is added to the ACL.


Any idea why Administrator=root maps the sys GID to a winbind group 
name?  Log entry and smb.conf below.  Thanks,


Eric Roseme

[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318)
  local_sid_to_gid: Fall back to algorithmic mapping
[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325)
  local_sid_to_gid: mapping: 
S-1-5-21-463747597-202940698-2940076759-1201 -> 100

[2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245)
  sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 -> 100
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453)
  create_canon_ace_lists: adding dir ACL:
  canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x




# Samba config file created using SWAT
# from 16.93.45.222 (16.93.45.222)
# Date: 2006/04/28 10:10:56

# Global parameters
[global]
workgroup = SNSLATC
realm = SNSLATC.HP.COM
server string = Samba Server
interfaces = xx.xxx.xxx.xx
bind interfaces only = Yes
netbios name = SERVER14   
security = ADS 
client schannel = No
server schannel = No
password server = SNSLATC-DC.SNSLATC.HP.COM
log level = 10
log file = /var/opt/samba/log.%m
username map = /etc/opt/samba/username.map
max log size = 1000
machine password timeout = 300
local master = No
wins server = xx.xxx.xxx.xx
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
idmap backend = rid:SNSLATC=1-2
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind use default domain = yes
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
read only = No
short preserve case = No
dos filetime resolution = Yes
#use kerberos keytab = yes

[homes]
comment = Home Directories
valid users = %S
browseable = No

[tmp]
comment = Temporary file space
path = /tmp

[sbx_interface]
  path = /home/sbx_interface

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba Administrator account for XP

[Michael Lueck]

satish patel wrote:

Dear thanx for cordinate wid me

I send my  example files what i going to tell when i 
configure samba without LDAP then i am able to login in XP machine with 
root with full privileges at that time my root user group of Domain 
Admin Group ok.


When you configure Samba without LDAP, then I think group mappings would end up 
referring to file:
/var/lib/samba/group_mapping.tdb

While configured as LDAP as the back end, it is necessary to map domain groups 
to local workstation groups, which can be done via:
net groupmap add ...
commands as illustrated on page 8 of the presentation I referred to. Otherwise 
you will only have the default information pre-populated when you prep the LDAP 
server for use with Samba.

Thus I can understand why you get different results when you change database 
back-ends.

Have you yet checked "ifmember.exe /list" and have it show what groups your 
test ID is actually a member of?

--
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba Administrator account for XP

[Michael Lueck]

satish patel wrote:

i have created root 
account and map root account with Administrator /etc/samba/smbuser file 


I have never heard of such a file...

> i have created root account

I have specifically avoided creating an account named root. Since Ubuntu which 
we are now using uses a sudo environment, seems a wise decision way back when.

Still, I do not think that alone is your source of trouble.

and root UID=0 and memeber of Domain Admin group. but still when i am 
login in XP client machine with root user in samba Domain i  dont have 
much privielges on XP machine even i can not change my XP client  
machine System Time 


Did you get a copy of ifmember.exe and run it with the /list option to see which local and domain groups you are a member of? What did it return? Are you a member of the local Administrators group or 
not? (Sounds like not.)


satish patel wrote:
> dear your URL PDF is damage so that could not open properly

Works fine for us with both Linux and Windows and the Acrobat / Firefox for 
those platforms.

--
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba Administrator account for XP

[Michael Lueck]

satish patel wrote:

Dear all

  I have install samba + ldap and it is successfully joing the 
domain but problem is when i login in XP machine with Administrator account of 
samba i cannot change anything in XP even not system time so is it problem of 
privileges ??


Get a copy of MS's ifmember.exe and issue it with the /list switch while logged into Windows with a domain account. That will show you which groups you are a member of on the domain and local 
workstation. Likely you have something amiss in the group mapping area.


I cover that sort of thing in my Samba presentation:
"Samba 3 PDC for Windows Clients and Samba 3 Book Review"
http://www.lueckdatasystems.com/pub/presentations/iccm2007.pdf

Start on page 7 of the presentation. I do not use LDAP in this presentation, so 
the EXACT solution will be different in your case.

--
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Administrator account for XP

[satish patel]

Dear all

  I have install samba + ldap and it is successfully joing the 
domain but problem is when i login in XP machine with Administrator account of 
samba i cannot change anything in XP even not system time so is it problem of 
privileges ??


$ cat ~/satish/url.txt  

http://www.linuxbug.org
_

   
-
 5, 50, 500, 5000 - Store N number of mails in your inbox. Click here.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator on samba server?

[Daniel Müller]

First of all did you net groupmap the Groups? Did you net rpc grant rights
to the Admin Group?
If so:
Put the administrator to the DOMAIN ADMINS GROUP on your Samba.
Log in as root over your XP CLIENT on Your Samba Domain.
Add the Group DOMAIN ADMINS/Yourdomain as Member of Your XP Clients Admin
Group.
Or add the ADMINISTRATOR/Yourdomain as Member of your XP CLIENTS Admin Group.
greetings 
daniel

 Original-Nachricht 
Datum: Fri, 2 Mar 2007 16:39:17 +0100
Von: "max" <[EMAIL PROTECTED]>
An: samba@lists.samba.org
CC: 
Betreff: [Samba] Administrator on samba server?

Hi,
I've samba 3 running on trustix 2.2.
I've added an xp sp2 client without much problems.
But now I'm trying to use "administrator" user on this client for
administrative purpouses (adding software, printers and so on) and I've
realized that, even if in Samba the user "administrator" exists, it isn't
recognised by the client as an administrator.
When I add an xp client to a real windows server computer, the domain
administrator is immediately recognised by the client as administrator of
the client itself, with samba this is not. Why? How to fix this?
Thanks.

Max


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Administrator on samba server?

[James A. Dinkel]

> -Original Message-
> From: max
> Sent: Friday, March 02, 2007 9:39 AM
> 
> Hi,
> I've samba 3 running on trustix 2.2.
> I've added an xp sp2 client without much problems.
> But now I'm trying to use "administrator" user on this client for
> administrative purpouses (adding software, printers and so on) and
I've
> realized that, even if in Samba the user "administrator" exists, it
isn't
> recognised by the client as an administrator.
> When I add an xp client to a real windows server computer, the domain
> administrator is immediately recognised by the client as administrator
of
> the client itself, with samba this is not. Why? How to fix this?
> Thanks.
> 
> Max
> 

'root' is the name of the administrator on linux machines.  Linux
machines don't care about what administrator account is used on Windows
machines.  If you want, you could add the domain administrator account
to the admin group on your Trustix machine.  This can vary from
distribution to distribution, on Ubuntu the group name is 'admin' so you
just add the user to that group, but this could be different on Trustix.
You will have to consult your Trustix documentation on this.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator on samba server?

[max]

Hi,
I've samba 3 running on trustix 2.2.
I've added an xp sp2 client without much problems.
But now I'm trying to use "administrator" user on this client for
administrative purpouses (adding software, printers and so on) and I've
realized that, even if in Samba the user "administrator" exists, it isn't
recognised by the client as an administrator.
When I add an xp client to a real windows server computer, the domain
administrator is immediately recognised by the client as administrator of
the client itself, with samba this is not. Why? How to fix this?
Thanks.

Max


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2007 03:39 PM, ryan punt escreveu:
> Is priv assignment limited to accounts whose sambaPrimaryGroupSID 
> has RID 512, or is simply having the account name listed as a
> member in the group definition enough?

I think the second one is true. ;)


> Wow, that was poorly written...
> 
> I'm assuming that this guy will be able to assign privs:
> # domain admin user
> uid: user
> sambaPrimaryGroupSid: S-*-512
> 
> How about user2?
> # domain admins group
> cn: dom_adms
> sambaSID: S-*-512
> memberUID: user2

Hmmm, not sure, on our setup I have a user that is the
Domain Administrator with the following information:

uidNumber: 10001
gidNumber: 1
sambaSID: S-1-5-21-our-own-sid-20002
sambaPrimaryGroupSID: S-1-5-21-our-own-sid-512


We have groupmaps and the rpc rights for domain admins
are like this:

OUROWNDOMAIN\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege


The user can join machines to the domain and once logged
in a workstation he is able to do the configurations that users
are not allowed to do.

Then we have the following group (sambaGroupMap)

cn: Domain Admins
sambaSID: S-1-5-21-our-own-sid-512
memberUid: felipe


And my user (felipe) is able to join machines to the
domain without neet to change net rpc rights. And I don't have
sid or primarysid 512 (not even close to that). ;)


Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFsNPcCj65ZxU4gPQRAqDMAJ0eZfSLKOVfJU17H40NM0h3B5k4BgCgj4Ps
b2kDBDo/liP+7mgYYbLeyhE=
=dFel
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[ryan punt]

>>  After Samba 3.0.14 you can have a normal user account with
>> Domain Administrator powers, which includes adding machines to the
>> domain and other privileges, using 'net groupmap'.
>> 
>>  So you can an account as the LDAP administrator, another
>> account as your Samba Administrator and your regular root account.
>> It's up to you. ;)
> 
> But don't you need a Samba account with UID=0 to assign privileges 
> in the first place?

Not anymore. ;)

Is priv assignment limited to accounts whose sambaPrimaryGroupSID has RID 512, 
or is simply having the account name listed as a member in the group definition 
enough?

Wow, that was poorly written...

I'm assuming that this guy will be able to assign privs:
# domain admin user
uid: user
sambaPrimaryGroupSid: S-*-512

How about user2?
# domain admins group
cn: dom_adms
sambaSID: S-*-512
memberUID: user2

-

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/18/2007 12:36 PM, ryan punt escreveu:
>>>I just got Samba + LDAP up and running as a PDC. If I list the users in
>>>the LDAP directory with pdbedit -L I see:
>>>
>>>   root:0:test
>>>   nobody:99:nobody
>>>   aster$:1001:Computer
>>>   toast$:1002:TOAST$
>>>   fordprefect:1003:Test Account
>>>
>>>Shouldn't there be an Administrator account and no root? I don't want my
>>>Linux root account even remotely confused or associated with a
>>>Samba/LDAP account. Any ideas?
>>  
>>  It depends on how you configured your LDAP.
>> 
>>  After Samba 3.0.14 you can have a normal user account with
>> Domain Administrator powers, which includes adding machines to the
>> domain and other privileges, using 'net groupmap'.
>> 
>>  So you can an account as the LDAP administrator, another
>> account as your Samba Administrator and your regular root account.
>> It's up to you. ;)
> 
> But don't you need a Samba account with UID=0 to assign privileges 
> in the first place?

Not anymore. ;)


> Ryan

Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFr6JSCj65ZxU4gPQRArN2AKCI4SVmFZjbomMAvfHzVH1zq7culgCghF/k
BtQWs/php/pRQUON387KNos=
=Z758
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[ryan punt]

> I just got Samba + LDAP up and running as a PDC. If I list the users in
> the LDAP directory with pdbedit -L I see:
> 
>root:0:test
>nobody:99:nobody
>aster$:1001:Computer
>toast$:1002:TOAST$
>fordprefect:1003:Test Account
> 
> Shouldn't there be an Administrator account and no root? I don't want my
> Linux root account even remotely confused or associated with a
> Samba/LDAP account. Any ideas?

It depends on how you configured your LDAP.

After Samba 3.0.14 you can have a normal user account with
Domain Administrator powers, which includes adding machines to the
domain and other privileges, using 'net groupmap'.

So you can an account as the LDAP administrator, another
account as your Samba Administrator and your regular root account.
It's up to you. ;)

*-

But don't you need a Samba account with UID=0 to assign privileges in the first 
place?

Ryan
-

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/16/2007 06:29 PM, Jason Baker escreveu:
> I just got Samba + LDAP up and running as a PDC. If I list the users in
> the LDAP directory with pdbedit -L I see:
> 
>root:0:test
>nobody:99:nobody
>aster$:1001:Computer
>toast$:1002:TOAST$
>fordprefect:1003:Test Account
> 
> Shouldn't there be an Administrator account and no root? I don't want my
> Linux root account even remotely confused or associated with a
> Samba/LDAP account. Any ideas?

It depends on how you configured your LDAP.

After Samba 3.0.14 you can have a normal user account with
Domain Administrator powers, which includes adding machines to the
domain and other privileges, using 'net groupmap'.

So you can an account as the LDAP administrator, another
account as your Samba Administrator and your regular root account.
It's up to you. ;)

Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFrk6TCj65ZxU4gPQRAuG9AKCpPWSJtkNeZ/DkiTrsDNH/6UBhBACbBeqy
bspDz6Un93BmLl5uSgMxSFs=
=98lT
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is Root

[Cleber P. de Souza]

Does use root in ldap without a shell help you?


On 1/16/07, Jason Baker <[EMAIL PROTECTED]> wrote:

I just got Samba + LDAP up and running as a PDC. If I list the users in
the LDAP directory with pdbedit -L I see:

root:0:test
nobody:99:nobody
aster$:1001:Computer
toast$:1002:TOAST$
fordprefect:1003:Test Account

Shouldn't there be an Administrator account and no root? I don't want my
Linux root account even remotely confused or associated with a
Samba/LDAP account. Any ideas?
--

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




--
***
Cleber P. de Souza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator is Root

[Jason Baker]

I just got Samba + LDAP up and running as a PDC. If I list the users in 
the LDAP directory with pdbedit -L I see:


   root:0:test
   nobody:99:nobody
   aster$:1001:Computer
   toast$:1002:TOAST$
   fordprefect:1003:Test Account

Shouldn't there be an Administrator account and no root? I don't want my 
Linux root account even remotely confused or associated with a 
Samba/LDAP account. Any ideas?

--

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator doesn't have admin rights on workstation

[Brian May]

> "Eric" == Eric J Feldhusen <[EMAIL PROTECTED]> writes:

Eric> I've had similar problems before, make sure you don't have
Eric> any unix group mapped to multiple Windows groups.

Thanks for the suggestion.

It turns out that the problem was my fault (of course!).

Previously I had seen a SID with no mapping in the Administrators
group on the client computer. So I deleted it!

Turns out this was the SID for the "Domain Admins" group, but it
didn't show up as such because the mapping on the domain server was
wrong at the time. So I added Domain Admins again, using the correct
SID and it works now.


PS. I never saw your post to the mailing list (I only got the copy you
sent directly to me), despite it being addressed to
samba@lists.samba.org - strange.
-- 
Brian May <[EMAIL PROTECTED]>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator doesn't have admin rights on workstation

[Eric J. Feldhusen]

I've had similar problems before, make sure you don't have any unix 
group mapped to multiple Windows groups.


Like having

Domain users -> users
Staff users -> users

Eric Feldhusen

Brian May wrote:

"Steve" == Steve A <[EMAIL PROTECTED]> writes:


Steve> Hello, I'm running FreeBSD-6.1, and Samba 3.0.22 with a
Steve> Windows XP (SP2) client.

Steve> As per subject line, administrator doesn't have
Steve> administrator rights on the workstation.

Hmmm. I noticed the similar thing on my system.

I also noticed, as discussed here, that the RID for my Domain Admins
group was wrong.

However I still have issues, even after fixing the RID as discussed in
this thread.

Just to clarify: Does belonging to the "Domains Admins" group mean you
should automatically get full administrator rights when logged onto
any computer?

Also, what is the difference between the terms "RID" and "SID"?


sam:~# net groupmap list
...
Domain Admins (S-1-5-21-1268321594-3481289969-4150125466-512) -> Domain Admins

sam:~# pdbedit  -Lv administrator
...
Unix username:administrator
NT username:  administrator
Account Flags:[UX ]
User SID: S-1-5-21-1268321594-3481289969-4150125466-21104
Primary Group SID:S-1-5-21-1268321594-3481289969-4150125466-512
Full Name:Domain Administrator
Home Directory:   \\sam\administrator
HomeDir Drive:U:
Logon Script: logon.cmd
Profile Path: 
Domain:   VPAC
Account desc: 
Workstations: 
Munged dial:  
Logon time:   0

Logoff time:  Tue, 19 Jan 2038 14:14:07 EST
Kickoff time: Tue, 19 Jan 2038 14:14:07 EST
Password last set:Mon, 03 Jul 2006 10:33:32 EST
Password can change:  0
Password must change: Tue, 19 Jan 2038 14:14:07 EST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator doesn't have admin rights on workstation

[Brian May]

> "Steve" == Steve A <[EMAIL PROTECTED]> writes:

Steve> Hello, I'm running FreeBSD-6.1, and Samba 3.0.22 with a
Steve> Windows XP (SP2) client.

Steve> As per subject line, administrator doesn't have
Steve> administrator rights on the workstation.

Hmmm. I noticed the similar thing on my system.

I also noticed, as discussed here, that the RID for my Domain Admins
group was wrong.

However I still have issues, even after fixing the RID as discussed in
this thread.

Just to clarify: Does belonging to the "Domains Admins" group mean you
should automatically get full administrator rights when logged onto
any computer?

Also, what is the difference between the terms "RID" and "SID"?


sam:~# net groupmap list
...
Domain Admins (S-1-5-21-1268321594-3481289969-4150125466-512) -> Domain Admins

sam:~# pdbedit  -Lv administrator
...
Unix username:administrator
NT username:  administrator
Account Flags:[UX ]
User SID: S-1-5-21-1268321594-3481289969-4150125466-21104
Primary Group SID:S-1-5-21-1268321594-3481289969-4150125466-512
Full Name:Domain Administrator
Home Directory:   \\sam\administrator
HomeDir Drive:U:
Logon Script: logon.cmd
Profile Path: 
Domain:   VPAC
Account desc: 
Workstations: 
Munged dial:  
Logon time:   0
Logoff time:  Tue, 19 Jan 2038 14:14:07 EST
Kickoff time: Tue, 19 Jan 2038 14:14:07 EST
Password last set:Mon, 03 Jul 2006 10:33:32 EST
Password can change:  0
Password must change: Tue, 19 Jan 2038 14:14:07 EST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
-- 
Brian May <[EMAIL PROTECTED]>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator is root - I don't like it

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steve A wrote:

> The "Samba-3 by Example" instructs you to make a mapping, 
> "root =  Administrator".  Is this absolutely necessary?

No.  Not necessary.  Read up on Samba's privilege model.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEp6LDIR7qMdg1EfYRApYuAKDu1yvWULmC2vCxMqwHRJLFR6yW3QCgsFny
44WSs2BsI6kvOFLBNhmUVtk=
=4/3b
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator doesn't have admin rights on workstation

[Felipe Alfaro Solana]

Hello, I'm running FreeBSD-6.1, and Samba 3.0.22 with a Windows XP (SP2)
client.

As per subject line, administrator doesn't have administrator rights on the
workstation.

--- 'net groupmap list' gives,

Domain Admins (S-1-5-21-3323006203-4037909810-1162086780-3003) -> ntadmins


AFAIK, the Domain Admins group has a fixed RID of 512. Thus, your SID
should look like S-1-5-21-3323006203-4037909810-1162086780-512
instead. The same happens with the Domain Users (RID 513), Domain
Computers (RID 515) and Domain Guests (RID 514).
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator is root - I don't like it

[Steve A]

The "Samba-3 by Example" instructs you to make a mapping, "root = 
Administrator".  Is this absolutely necessary?  What if someone hacks a 
Windows machine and is able to supply Administrator credentials to Samba?

Is there a way around this?  I can live with having to supply root 
credentials in Windows when joining a Samba domain (but if there were 
another way I would love to know how!), but I wouldn't want any network 
admin to be able to screw with root's account.

Many thanks,
Steve : ) 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator doesn't have admin rights on workstation

[Steve A]

Hello, I'm running FreeBSD-6.1, and Samba 3.0.22 with a Windows XP (SP2) 
client.

As per subject line, administrator doesn't have administrator rights on the 
workstation.

--- 'net groupmap list' gives,

Domain Admins (S-1-5-21-3323006203-4037909810-1162086780-3003) -> ntadmins

--- 'pdbedit -Lv' includes,

Unix username:administrator
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-3323006203-4037909810-1162086780-3006
Primary Group SID:S-1-5-21-3323006203-4037909810-1162086780-3003

--- '/etc/passwd' includes,

administrator:*:1003:1001:Windows Domain 
Administrator:/home/administrator:/usr/sbin/nologin

--- '/etc/group' includes,
ntadmins:*:1001:


>From the above, I see that the Primary Group SID for the smb Administrator 
account is the same as the one listed for Domain Admins using pdbedit.  The 
'administrator' password is the same for both smb and system accounts, and I 
can log in to the workstation successfully.

I even tried mapping Domain Admins to wheel, setting an smb password for 
root, and logging on to the client as "root" instead of administrator.  I 
can write over the network to root's home, but I am sitll not an 
administrator of the Domain so I can't install software on the client.

Which step have I missed or what have I done wrong?

Many thanks,
Steve :) 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] administrator rights on workstation

[Patrick DUBAU]

Hi,

we want to give all our users all the rights on the stations, i see 2 
solutions :

- on the station goto local group administrators and add everyone
-  on the sation goto local group administrator annd add an LDAP group 
call UA (created by us with containing all ou users)



Which  way is the best in term of charge ?
Someone told to me that in the first case windows has to handle all the 
users on the stations, but in the second case only one group (group UA).


We have about 4000 users accounts in LDAP
Does  windows have problem handling so much users?

Thanks for any suggestion or return of experience
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Chris]

On Friday 12 August 2005 12:30 am, jurgen wrote:
> It has been for quite some time. :-/ If it weren't for our reliance
> on MS Access, they would already be running Linux, and this whole
> problem would be moot. But that's a topic for another list. :-)

You can always skip Samba for printing purposes. You can print via IPP 
(need a third party utility for NT4.0) or LPD (cups-lpd). I think both 
are set up as local printers (so everyone will have access to them).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Ilia Chipitsine]

On Thursday 11 August 2005 10:41 pm, jurgen wrote:

Administrator can install a printer, but other
users can't see it.


Again, normal when installed as a "network printer".


I don't understand why this worked before, then. If that was broken
behaviour in NT Workstation, I want to find out how to break it
again, because within the limits of NT, it was quite convenient.


I want to confess that my info is based on 2k/xp systems. It has been
very long since I've seen an NT system (outside of some old servers I
still maintain but wouldn't want to breath on them for fear that they
will croak before we are ready), and there are some details I just no
longer remember (and it gets worse every year).

So NT 4 (or is it 3.51? - I don't think anyone is still running
something before that) may be different in this regard.


I read somewhere that because NT installs printer drives into
non-user-space, ordinary users aren't allowed to install drivers, no
matter what the policy says. Of course that's contradicted by pages
like this: http://www.windowsitlibrary.com/Content/121/18/2.htm


Under 2k/xp the driver needs to be installed by an admin user (the first
instance of the network printer) before the domain users can add their
instances of the printer.


You can tweak it by managing GPO/LGPO, yes, by default only Administrators 
can upload device drivers, but You can allow that thing for anyone.


actually there're two bad solutions provided by Microsoft:

1) the need of uploading printer drivers at least once by Administrator

2) or the need to allow anyone to upload any driver.



Isn't it time to update those workstations?

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[jurgen]

Heya

> Isn't it time to update those workstations?

It has been for quite some time. :-/ If it weren't for our reliance on
MS Access, they would already be running Linux, and this whole problem
would be moot. But that's a topic for another list. :-)

.jurgen


-- 
[EMAIL PROTECTED] is jurgen's gmail address.
Visit http://jurgen.ca/ for more yummy goodness.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Chris]

On Thursday 11 August 2005 10:41 pm, jurgen wrote:
> > > Administrator can install a printer, but other
> > > users can't see it.
> >
> > Again, normal when installed as a "network printer".
>
> I don't understand why this worked before, then. If that was broken
> behaviour in NT Workstation, I want to find out how to break it
> again, because within the limits of NT, it was quite convenient.

I want to confess that my info is based on 2k/xp systems. It has been 
very long since I've seen an NT system (outside of some old servers I 
still maintain but wouldn't want to breath on them for fear that they 
will croak before we are ready), and there are some details I just no 
longer remember (and it gets worse every year).

So NT 4 (or is it 3.51? - I don't think anyone is still running 
something before that) may be different in this regard.

> I read somewhere that because NT installs printer drives into
> non-user-space, ordinary users aren't allowed to install drivers, no
> matter what the policy says. Of course that's contradicted by pages
> like this: http://www.windowsitlibrary.com/Content/121/18/2.htm

Under 2k/xp the driver needs to be installed by an admin user (the first 
instance of the network printer) before the domain users can add their 
instances of the printer.

Isn't it time to update those workstations?

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[jurgen]

Hi,

Thanks for your help so far.

> You can install the remote printer as a local printer by choosing
> "Local" in the wizard and using the UNC path to the device
> (\\servername\printer_share_name).

I tried this, thinking it could at least solve the problem in the
short term, but I can't see anything in "Local" to enter a UNC path.
XP/2000 have that option, as I recall, but NT Workstation doesn't.

> I think "net groupmap cleanup" can clean that up.

It did, but it also deleted a few groups I needed! Luckily, it
reported exactly what it was doing, so I was able to put them back.

> Group policy can prevent install and delete of printers, you may want to
> examine the settings.

I read somewhere that because NT installs printer drives into
non-user-space, ordinary users aren't allowed to install drivers, no
matter what the policy says. Of course that's contradicted by pages
like this: http://www.windowsitlibrary.com/Content/121/18/2.html that
suggest changing a value in the registry will allow anyone to install
drivers. Changing that value doesn't change anything though. Poledit
on NT with the default templates doesn't mention anything about
installing printer drivers either.

> > Administrator can install a printer, but other
> > users can't see it.
> 
> Again, normal when installed as a "network printer".

I don't understand why this worked before, then. If that was broken
behaviour in NT Workstation, I want to find out how to break it again,
because within the limits of NT, it was quite convenient.

..jurgen

-- 
[EMAIL PROTECTED] is jurgen's gmail address.
Visit http://jurgen.ca/ for more yummy goodness.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Chris]

On Thursday 11 August 2005 08:31 pm, jurgen wrote:
> I should have been more clear about how the administrator installs
> printers to the workstations. They're installed via the "Add Printer"
> Wizard. Selecting "Network printer", navigating to the server, and
> picking the printer. It asks for a driver, which is manually
> installed. The printer is now available to anyone using the machine.

Your last sentence is incorrect (as you too clearly know) - network 
printers are installed per user, not per machine; this is normal.

You can install the remote printer as a local printer by choosing 
"Local" in the wizard and using the UNC path to the device 
(\\servername\printer_share_name).

> Hmm. Yes and no. That's a bit strange. There are two "Domain Users"
> groups, and only one is mapped properly:

I think "net groupmap cleanup" can clean that up.
I think the dup groups should not exist.

> A regular user (member of Domain Users) gets a "Can't install printer
> because you don't have enough privileges to install a driver into
> this machine" error.

Group policy can prevent install and delete of printers, you may want to 
examine the settings.

> Administrator can install a printer, but other 
> users can't see it.

Again, normal when installed as a "network printer".

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[jurgen]

Hi,

> In the wonderful world of Windows you can install a network printer as a
> "local" printer. This may have been what you did previously.

I should have been more clear about how the administrator installs
printers to the workstations. They're installed via the "Add Printer"
Wizard. Selecting "Network printer", navigating to the server, and
picking the printer. It asks for a driver, which is manually
installed. The printer is now available to anyone using the machine.

> Normally you would get a message if the proper driver wasn't available.
> Are the users added to the mapped Domain Users group?

Hmm. Yes and no. That's a bit strange. There are two "Domain Users"
groups, and only one is mapped properly:

yarra# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Print Operators (S-1-5-21-1073446153-1192918827-1877560073-550)
-> mc_user
Domain Users (S-1-5-21-1752829885-2314611046-3909587037-513) -> mc_user
Admin Support (S-1-5-21-1752829885-2314611046-3909587037-2249) ->
mc_adminsupport
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> mc_user
Administrators (S-1-5-32-544) -> -1
Domain Users (S-1-5-21-3126122381-2164987421-561208686-513) -> -1
Domain Admins (S-1-5-21-3126122381-2164987421-561208686-512) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-3126122381-2164987421-561208686-514) -> -1
Domain Guests (S-1-5-21-1752829885-2314611046-3909587037-514) -> -1
Management (S-1-5-21-1752829885-2314611046-3909587037-3177) -> mc_management
Domain Admins (S-1-5-21-1752829885-2314611046-3909587037-512) -> wheel
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

That might be it. I've just:

net groupmap modify sid=S-1-5-21-3126122381-2164987421-561208686-513
unixgroup=mc_user type=domain

to the second Domain Users, but nothing changes.

A regular user (member of Domain Users) gets a "Can't install printer
because you don't have enough privileges to install a driver into this
machine" error. Administrator can install a printer, but other users
can't see it. Even after the Administrator installs a printer
(assuming that installs the driver into the local PC), regular users
can't install the printer, with the same privilege error. Very
confusing.

..jurgen

-- 
[EMAIL PROTECTED] is jurgen's gmail address.
Visit http://jurgen.ca/ for more yummy goodness.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Chris]

On Thursday 11 August 2005 01:31 am, jurgen wrote:
> The way it worked before: Administrator would install printers into
> an NT workstation. Those printers would be able to be used by any
> user who logs into that machine. Users would inherit whichever
> printer set is installed on the machine they're using. The printers
> were named "Printername on Servername". So, were these network or
> local printers?

In the wonderful world of Windows you can install a network printer as a 
"local" printer. This may have been what you did previously.

In fact I have a client with a certain TS application that will not 
print correctly unless the remote printer is installed this way (I 
think it's a PCL bug but the vendor doesn't know how to spell PS).

You can do it this way but the general trend is to pick network printer 
in the printer wizard setup box for non-local printers.

> > Generally default permissions allow Windows users to install
> > network printers. If your users can't then something is changed.
>
> That's what I'm trying to figure out. My users can't install
> printers. Administrator can install printers, but users can't see
> them. What has changed? Where can I look to find this *something*
> that has changed? Is it a domain administration, policy, group issue?
> Is it some weird mismatch between driver types?

Normally you would get a message if the proper driver wasn't available.
Are the users added to the mapped Domain Users group?

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[jurgen]

Hi,

Thanks for your answer...

On 11/08/05, Chris <[EMAIL PROTECTED]> wrote:
> In Windows, "local" printers are installed per machine, "network"
> printers are installed per user.

The way it worked before: Administrator would install printers into an
NT workstation. Those printers would be able to be used by any user
who logs into that machine. Users would inherit whichever printer set
is installed on the machine they're using. The printers were named
"Printername on Servername". So, were these network or local printers?

> Generally default permissions allow Windows users to install network
> printers. If your users can't then something is changed.

That's what I'm trying to figure out. My users can't install printers.
Administrator can install printers, but users can't see them. What has
changed? Where can I look to find this *something* that has changed?
Is it a domain administration, policy, group issue? Is it some weird
mismatch between driver types?

> Use the rundll32 printui.dll,PrintUIEntry stuff in a logon script to
> automate network printer installs.

I'd really rather not automate anything until I get it working manually.

..jurgen


-- 
[EMAIL PROTECTED] is jurgen's gmail address.
Visit http://jurgen.ca/ for more yummy goodness.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-installed printers unavailable to regular users

[Chris]

On Thursday 11 August 2005 12:44 am, jurgen wrote:
> deally, I'm looking for a way to let regular users install their own
> printers, but some way to let administrator install printers that
> everyone can use would be good too.

It helps to be familiar with Windows before using Samba.
In Windows, "local" printers are installed per machine, "network" 
printers are installed per user.

Generally default permissions allow Windows users to install network 
printers. If your users can't then something is changed.

Use the rundll32 printui.dll,PrintUIEntry stuff in a logon script to 
automate network printer installs.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator-installed printers unavailable to regular users

[jurgen]

Hi all,

I'm having a very strange problem with printers under 3.0.10, running
on an up to date Gentoo 2005.0 box. Essentially, if I install a
Samba-networked printer on one of our NT workstations as
"administrator", it doesn't show up for all the other users of that
particular machine. It's as if they don't have any printers installed.
What's more, none of these users have the required privileges to
install a printer by themselves.

We recently replaced our old Samba machine with a new server, which
may have something to do with this, but I really don't know where to
start looking. Administrator could install printers and make them
available to other machine users before the upgrade. At first I
thought it had something to do with the
auto-download-and-install-drivers magic, so I disabled that, but the
problem persisted.

Ideally, I'm looking for a way to let regular users install their own
printers, but some way to let administrator install printers that
everyone can use would be good too.

Here's most of my smb.conf file. What other information would be
helpful here? I don't even know where to start looking with this.

Best,

...jurgen





[global]
# Machine configurations

workgroup = 
netbios name = Yarra
server string = Yarra file server
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192

# PDC stuff

os level = 64
preferred master = yes
local master = yes
domain master = yes
logon script = netlogon.bat
domain logons = yes
wins support = yes
admin users = root

# Security and log settings

follow symlinks = yes
wide links = yes

security = user
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = x.x.x.x

# User Profiles and Home Directory stuff

logon drive = H:

add machine script = smbpasswd -a -m %m

# Printing with CUPS

printing = cups
printcap name = cups
load printers = yes
use client driver = no

unix extensions = no

#
# ---
#


[homes]
comment = Home Directories
browseable = no
writeable = yes
path = /home/%U
veto files = /*lost+found*/
inherit permissions = yes
hide dot files = yes

follow symlinks = yes
wide links = yes

# MySQL Logging
preexec =
/var/www/localhost/htdocs/freddy/commandLine/sambaLogin.php on %u %m
%d %I %S
postexec =
/var/www/localhost/htdocs/freddy/commandLine/sambaLogin.php off %u %m
%d %I %
S



;[print$]
;   comment = Printer Drivers
;   path = /share/samba/printerdrivers
;   guest ok = no
;   browseable = yes
;   read only = yes
;   write list = root


[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = root
create mode = 0700
print command = lpr -P %p -o raw %s -r
lpq command = lpstat -o %p
lprm command = cancel %p-%j


[...] snip [...]



-- 
[EMAIL PROTECTED] is jurgen's gmail address.
Visit http://jurgen.ca/ for more yummy goodness.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator account can not connect

[Willem Jaap Zwart]

Hi

We have the following setup:
= freebsd 5.2-release with Samba 3.0.10
= samba uses 'security = domain' and authenticates against a W2K ADS
= this works fine for all users EXCEPT Administrator

The log for the connecting host lists:

domain_client_validate: unable to validate password for user
Administrator in domain OURDOM to Domain controller \\OURLDAP. Error
was NT_STATUS_WRONG_PASSWORD.

and

[2005/03/15 14:09:17, 0] auth/auth_util.c:make_server_info_info3(1134)
  make_server_info_info3: pdb_init_sam failed!

The password is 100% sure OK (we use NIS and SFU to logon to the
FreeBSD box and this works fine for all accounts with the same
password).

We tried several things (adding a local user Administrator etc etc),
but no go.
Any help appreciated

Willem

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-privileged logon scripts under limited mode on XP?

[Hunter Rognstad]

Ah, just what I was looking for. Thanks!
One question, though -- do you validate the runas password against a 
local privileged account, such as \\%computername%\Administrator, all of 
which have the same local password, or do you end up having to use one 
on the domain with "Domain Admin" or similar privileges?

I currently don't have anyone with a groupmap Domain Admin account since 
I believe it's quite dangerous -- logged in as one, I was able to access 
a C$ directory on another machine, as well as rename it on the network 
via srvtools. It seems to be more than giving Administrator privileges 
over the local machine, and I find it to be too many privileges for 
someone on a Windows machine to have. Or is there a way that simply 
assigns local machine privileges without any scary things like that 
which would allow a smidgeon of malicious code to wreck the whole domain?

Thanks again,
-Hunter
Beast wrote:
Hunter Rognstad wrote:
So, the question is, is there any way to run a logon script that has 
local Administrator privileges while running on a Windows XP machine 
joined to the samba domain in limited mode?

Many alternatives, such as sanur. I'm using it when need to install 
antivirus to W2k clients.

http://www.commandline.co.uk/sanur/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator-privileged logon scripts under limited mode on XP?

[Beast]

Hunter Rognstad wrote:
So, the question is, is there any way to run a logon script that has 
local Administrator privileges while running on a Windows XP machine 
joined to the samba domain in limited mode?
Many alternatives, such as sanur. I'm using it when need to install 
antivirus to W2k clients.

http://www.commandline.co.uk/sanur/
--
--beast
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Administrator-privileged logon scripts under limited modeon XP?

[Mitch (WebCob)]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:samba-
> [EMAIL PROTECTED] On Behalf Of Hunter Rognstad
> Sent: March 2, 2005 10:38 AM
> To: samba@lists.samba.org
> Subject: [Samba] Administrator-privileged logon scripts under limited
> modeon XP?
> 
> However, clever use of the login.bat, as bad as it was to do it, was
> used to run things with administrator level privileges under Windows 98,
> such as installing certain updates or programs automatically, removing
> certain common spyware programs, copying useful utilities such as putty,
> gnugrep and vncviewer to a system directory for purposes of running from
> the $PATH, regedit'ing registry keys, etc. The login.bat under Windows
> XP, however, runs with user level privileges, which is in limited mode,
> meaning there's only so much I can do with it.
> 
[Mitch says:] I think your users can be local admin's while being on the
domain login, but it requires enabling that on each workstation - if that's
what you want to do - as for elevating privileges of a login script, I think
it's impossible - I looked into scripting the runas tool and was told it was
intentionally impossible.

A work around I am playing with is writing a service running locally as
"admin" to accept certain commands and options from non-admin users and
execute them, returning results over a pipe...

Sort of off topic, but I share your grief ;-)

m/

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator-privileged logon scripts under limited mode on XP?

[Hunter Rognstad]

At our organization, we're currently gradually migrating the 
workstations from Windows 98 to Windows XP, while retaining the use of 
our samba server as a PDC. For those who may remember my previous post, 
our upgrade to Samba 3.0.11 from an ancient version (2.2.3) I inherited 
went extremely well, and I was thoroughly impressed how little I had to 
change to get everything running.

Anyways, I want the Windows XP users to mostly be in a limited user mode 
when on the domain, so they can't randomly install silly little games 
chock-full of spyware and other such things, unlike in Windows 98 where 
they always have Administrator access to their machine, even when logged 
in on the network.

However, clever use of the login.bat, as bad as it was to do it, was 
used to run things with administrator level privileges under Windows 98, 
such as installing certain updates or programs automatically, removing 
certain common spyware programs, copying useful utilities such as putty, 
gnugrep and vncviewer to a system directory for purposes of running from 
the $PATH, regedit'ing registry keys, etc. The login.bat under Windows 
XP, however, runs with user level privileges, which is in limited mode, 
meaning there's only so much I can do with it.

So, the question is, is there any way to run a logon script that has 
local Administrator privileges while running on a Windows XP machine 
joined to the samba domain in limited mode?

I've googled for some time and I hope I haven't missed anything, but I 
have yet to find anything that allows a logon script with anything but 
user-level (limited mode under XP) privileges, though I have heard some 
remote mentioning of it. It would be quite a nice thing to have, 
especially with the growth of our organization, so I could do more to 
each machine by remote without having to go through the ordeal of 
running a Windows Server, which is mostly out of the question as far as 
I'm concerned. Any suggestions for solutions would be much appreciated.

Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator member of Domain Users and Domain Admins group

[spu]

Hi,

I set up my LDAP to contain the administrator user in Domain Users and
Domain Admins group.
But this user have not the administrators right, all users which in Domain
Admins group have not the full right.

I would like to know if this problem is due to the user  is in Domain
Admins and also Domain Users .

Thanks


  Stéphane Purnelle

---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator->root mapping not working on 3.0.10 (3.0.7 fine)

[Stephen Borrill]

On Thu, 6 Jan 2005, Gerald (Jerry) Carter wrote:
> Stephen Borrill wrote:
> | We are using samba 3 on NetBSD with security=domain
> | authenticating against Windows 2003. We have a username map
> | of "root = administrator". In all previous versions of
> | samba tested (2.2.x and 3.0.x), this means when we log on
> | as administrator, we have root access and see the root
> | share. With 3.0.10, we are continually prompted for a
> | password.
> 
> ~From the 3.0.8 release notes (WHATSNEW.txt):
[snip]
> Change in Username Map
> - --
> 
> Previous Samba releases would only support reading the fully qualified
> username (e.g. DOMAIN\user) from the username map when performing a
> kerberos login from a client.  However, when looking up a map
> entry for a user authenticated by NTLM[SSP], only the login name would be
> used for matches.  This resulted in inconsistent behavior sometimes
> even on the same server.
> 
> Samba 3.0.8 obeys the following rules when applying the username
> map functionality:
> 
> ~  * When performing local authentication, the username map is
> ~applied to the login name before attempting to authenticate
> ~the connection.
> ~  * When relying upon a external domain controller for validating
> ~authentication requests, smbd will apply the username map
> ~to the fully qualified username (i.e. DOMAIN\user) only
> ~after the user has been successfully authenticated.

I'd followed that discussion, but I guess I hadn't quite followed the
ramifcations! A username map of "root=DOMAIN\Administrator" works fine.

Thanks a lot,

-- 
Stephen

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator->root mapping not working on 3.0.10 (3.0.7 fine)

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stephen Borrill wrote:
| We are using samba 3 on NetBSD with security=domain
| authenticating against Windows 2003. We have a username map
| of "root = administrator". In all previous versions of
| samba tested (2.2.x and 3.0.x), this means when we log on
| as administrator, we have root access and see the root
| share. With 3.0.10, we are continually prompted for a
| password.
~From the 3.0.8 release notes (WHATSNEW.txt):
Change in Winbindd Behavior
- ---
All usernames returned by winbindd are now converted to lower
case for better consistency.  This means any winbind installation
relying on the winbind username will need to rename existing
directories and/or files based on the username (%u and %U) to lower
case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`).  This may
include mail spool files, home directories, valid user lines in
smb.conf, etc
Change in Username Map
- --
Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client.  However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.
Samba 3.0.8 obeys the following rules when applying the username
map functionality:
~  * When performing local authentication, the username map is
~applied to the login name before attempting to authenticate
~the connection.
~  * When relying upon a external domain controller for validating
~authentication requests, smbd will apply the username map
~to the fully qualified username (i.e. DOMAIN\user) only
~after the user has been successfully authenticated.




cheer,s jerry
- -
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3VRqIR7qMdg1EfYRAhzrAJ0WQHjXyclQ+4pHzCiw0ciEINXj0wCffEfL
uhkQZxAG2eV9iI7530+YM1g=
=/46x
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator->root mapping not working on 3.0.10 (3.0.7 fine)

[Stephen Borrill]

We are using samba 3 on NetBSD with security=domain authenticating against
Windows 2003. We have a username map of "root = administrator". In all
previous versions of samba tested (2.2.x and 3.0.x), this means when we
log on as administrator, we have root access and see the root share. With
3.0.10, we are continually prompted for a password.

Log from 3.0.7 below:

[2005/01/06 14:25:58, 4] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/lib/username.c:map_username(132)
  Scanning username map /usr/pkg/etc/samba/smbusers
[2005/01/06 14:25:58, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/lib/username.c:map_username(173)
  Mapped user Administrator to root
[2005/01/06 14:25:58, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
with the new password interface
[2005/01/06 14:25:58, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2005/01/06 14:25:58, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [Administrator] succeeded
[2005/01/06 14:25:58, 2] 
/usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [Administrator] -> [root] -> 
[root] succeeded

Log from 3.0.10 below:

[2005/01/06 14:30:27, 4] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(132)
  Scanning username map /usr/pkg/etc/samba/smbusers
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(173)
  Mapped user Administrator to root
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
with the new password interface
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2005/01/06 14:30:27, 4] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(132)
  Scanning username map /usr/pkg/etc/samba/smbusers
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth_util.c:make_server_info_info3(1127)
  User root does not exist, trying to add it
[2005/01/06 14:30:27, 0] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth_util.c:make_server_info_info3(1134)
  make_server_info_info3: pdb_init_sam failed!
[2005/01/06 14:30:27, 2] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [Administrator] -> [root] 
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/process.c:timeout_processing(1336)
  timeout_processing: End of file from client (client has disconnected).
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2005/01/06 14:30:27, 3] 
/usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not 
exist.

Any help appreciated.

-- 
Stephen


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator

[Christoph Scheeder]

Hi,
this is no problem at all with samba 3.x, all you need is to
get your groupmapping set up correct and all is fine.
Have a look at the "net groupmap" command in 3.x.
In samba 3.x the handling of NT/Windows-groups was changed complete.
for details read through the fine doc's at samba.org about setting up a 
PDC with samba 3.x
Christoph

Ronald James schrieb:
Hi there
 

I have a question and it appears it cannot be done on Samba 3 and higher. I
want to have administrator rights on each pc in my network. I notice that
Domain Admin Groups was removed. I never used this feature so would not know
exactly what it does. However since I am now using Samba 3 it wont really be
of any use to me.
 

Is there a way, without having to goto each computer and allow domain users
to have administrator rights ? I am supporting clients and some of them have
150 pc's, I cant see myself having to go to 150 machines to allow the
administrator admin privelages etc. I also install a software (anti virus)
that requires admin rights, this is done automatically through the network,
however not when you don't have actual admin privies.
 

If it cannot be done, could someone here who is into development possibly
look into the source and try to get it to work ?
 

Thanks
 

Ronald James
NetXactics
Tel: +27 21 680-5069
Fax: +27 21 680-5011
http://www.netxactics.co.za  
Sophos - protecting businesses against viruses and spam

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator

[Ronald James]

Hi there

 

I have a question and it appears it cannot be done on Samba 3 and higher. I
want to have administrator rights on each pc in my network. I notice that
Domain Admin Groups was removed. I never used this feature so would not know
exactly what it does. However since I am now using Samba 3 it wont really be
of any use to me.

 

Is there a way, without having to goto each computer and allow domain users
to have administrator rights ? I am supporting clients and some of them have
150 pc's, I cant see myself having to go to 150 machines to allow the
administrator admin privelages etc. I also install a software (anti virus)
that requires admin rights, this is done automatically through the network,
however not when you don't have actual admin privies.

 

If it cannot be done, could someone here who is into development possibly
look into the source and try to get it to work ?

 

Thanks

 

Ronald James
NetXactics
Tel: +27 21 680-5069
Fax: +27 21 680-5011
http://www.netxactics.co.za  
Sophos - protecting businesses against viruses and spam

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator

[Hamish]

If you add a user in the form DOMAIN\User you will be an administrator 
for that box. Maybe you just added the user as "user" - this will only 
work for local logins, to log in as a network user (on to the domain) 
add the user in the domain\user format, works perfectly here on xpsp2 
and w2k.

Alex Satrapa wrote:
On 29 Oct 2004, at 21:14, darryl penny wrote:
I would like to logon to some of the XP Pro boxes as a normal network 
user,
but at the same time be 'Administrator' on the machine. Adding myself 
to the
Administrator's group on the pc has no effect when logging on via the 
network.

Try the "Domain Administrator's" group.
Better yet, create an "Administrator" user on the domain (IIRC the UID 
has to be 512, gidNumber must be 512), and log in as that user. Don't 
make your day-to-day account an administrative account, especially if 
you intend to use Internet Explorer as your browser for any purpose 
(eg: Windows Update, comet cursors, the list of evils goes on).

Also check that you're running a SMB Domain, rather than a Workgroup.
Alex
"If knowledge can create problems, it is not through ignorance that we 
can solve them."  --Isaac Asimov

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator

[Alex Satrapa]

On 29 Oct 2004, at 21:14, darryl penny wrote:
I would like to logon to some of the XP Pro boxes as a normal network 
user,
but at the same time be 'Administrator' on the machine. Adding myself 
to the
Administrator's group on the pc has no effect when logging on via the 
network.
Try the "Domain Administrator's" group.
Better yet, create an "Administrator" user on the domain (IIRC the UID 
has to be 512, gidNumber must be 512), and log in as that user. Don't 
make your day-to-day account an administrative account, especially if 
you intend to use Internet Explorer as your browser for any purpose 
(eg: Windows Update, comet cursors, the list of evils goes on).

Also check that you're running a SMB Domain, rather than a Workgroup.
Alex
"If knowledge can create problems, it is not through ignorance that we 
can solve them."  --Isaac Asimov

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator

[darryl penny]

Hi to the list.

Our network = mix of Win98 and XP Pro logging onto Samba3.04 hosted on SuSE9.1
Auth is via passwd and smbpasswd.
No Microsoft AD at all - Samba does all the auth, therefore winbind is not
required?
I would like to logon to some of the XP Pro boxes as a normal network user,
but at the same time be 'Administrator' on the machine. Adding myself to the
Administrator's group on the pc has no effect when logging on via the network.

I've looked and looked and browsed the Samba archives, but so far I've found
nothing to help me.

Can anyone please point me to a solution?

TIA
Darryl

--
Edgemead High School, Cape Town
Tel +27215581132
Fax +27215584407
Cell +27823752081
-
Powered by SuSE 9.1 and the OpenWebmail project
--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator can't change XP environment

[[EMAIL PROTECTED]]

Hi Guys

environment: Debian Sarge + Samba3.0.2
desktops WInXP

Just a  newbie question

How can a manage samba administrator to change user profiles and others
caracteristics of WinXP desktops???

What I have done till now.
[global]
unix charset = ISO-8859-1
workgroup = MGO
realm = SERVIDOR DE REDE DA MGO
netbios name = HERCULES
server string = %h server
update encrypted = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
username map = /etc/samba/username.map
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add user script = /usr/sbin/useradd %m$ -g 200 -d /dev/null -s
/bin/false -M | smbpasswd -am %m
add machine script = /usr/sbin/useradd %m$ -d /dev/null -g 200
-s /bin/false -M | /usr/bin/smbpasswd -am %m
logon script = %u.bat
logon path = \\hercules\profile\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
admin users = @sysadmin, administrator, admin, administrador,
root
create mask = 0764
force create mode = 0764
directory mask = 0771
force directory mode = 0771
printing = cups
include = /etc/samba/dhcp.conf

-cut
[profiles]
comment = pasta de profiles dos usuarios
path = /home/%u/profile
read only = No
create mask = 0600
directory mask = 0700
-cut
username.map
root = Administrador
__cut-

Could anyone point me a faq/howto ro solve this problem?? Itś driving me
crazy...80)))

thks guys for help

Please cc me cause I'm not in this list
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[RRuegner]

Hi , it just much more easy to do this setup, with a policy
which has a nice gui and its working proper
Best Regards
Jeramy Eling schrieb:
You can use the registry on each machine to set the settings for SUS, the following keys can be modified to set the required settings after you have installed the SUS client:-

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU (Might need to be created)

NoAutoUpdate
Range = 0|1. 0 = Automatic Updates is enabled (default), 1 = Automatic Updates is 
disabled.
Registry Value Type: Reg_DWORD
AUOptions 
Range = 2|3|4. 2 = notify of download and installation, 3 = automatically download and notify of installation, and 4 = automatic download and scheduled installation. All options notify the local administrator.
Registry Value Type: Reg_DWORD

ScheduledInstallDay
Range = 0|1|2|3|4|5|6|7. 0 = Every day; 1 through 7 = the days of the week from Sunday (1) to Saturday (7). 
Registry Value Type: Reg_DWORD

ScheduledInstallTime 
Range = n; where n = the time of day in 24-hour format (0-23). 
Registry Value Type: Reg_DWORD

UseWUServer
Set this to 1 to enable Automatic Updates to use the server running Software Update 
Services as specified in WUServer below.
Registry Value Type: Reg_DWORD
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

WUServer 
Sets the Software Update Services server by HTTP name (for example, http://IntranetSUS).
Registry Value Type: Reg_SZ

WUStatusServer 
Sets the Software Update Services statistics server by HTTP name (for example, http://IntranetSUS).
Registry Value Type: Reg_SZ

You use a .reg file and have it applied in a login script in theory. I have done this for other applications to make registry changes in the past and it seems to work ok. However I have never applied it using a samba server as I am a complete Active Directory shop and use GPO instead. There is a document on www.microsoft.com/sus which details the deployment of an SUS server.

Hope this helps

Jez

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of Clint Sharp
Sent: 07 May 2004 08:29
To: Andrew Bartlett
Cc: samba; Nicki Messerschmidt
Subject: Re: [Samba] Administrator rights for Windows update?
Andrew Bartlett wrote:


On Thu, 2004-05-06 at 22:43, Nicki Messerschmidt wrote:

SUS works surprisingly well, but I think you can just set a policy for
the machines to update themselves automatically from the master site if
you wish. 

Andrew Bartlett



We're considering a SUS deployment.  What are you (or others on the 
list) doing to push the policy to tell the clients which SUS server to 
pull the updates from and when?  From the Microsoft documentation I 
read, it appears this is best achieved through GPO, which is obviously 
not an option with a Samba PDC.  I've considered using regmon to see 
what changes GPO writes and adding these to a login script (using runas 
and sanur to install the settings from the login script, like we do for 
most everything that requires admin privs), but I was hoping someone had 
already solved this problem.  Ideas?

Clint
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[Andrew Bartlett]

On Fri, 2004-05-07 at 17:28, Clint Sharp wrote:
> Andrew Bartlett wrote:
> 

> We're considering a SUS deployment.  What are you (or others on the 
> list) doing to push the policy to tell the clients which SUS server to 
> pull the updates from and when?  From the Microsoft documentation I 
> read, it appears this is best achieved through GPO, which is obviously 
> not an option with a Samba PDC.  I've considered using regmon to see 
> what changes GPO writes and adding these to a login script (using runas 
> and sanur to install the settings from the login script, like we do for 
> most everything that requires admin privs), but I was hoping someone had 
> already solved this problem.  Ideas?

NT4 System policy.  ADM file attached (based on, and significantly
extended from a forum post I found somewhere).

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net
CLASS MACHINE

CATEGORY "Policy for SUS (Local Windows Update)"

POLICY "Options"

KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
PART !!NoAutoUpdate CHECKBOX
VALUENAME "NoAutoUpdate"
END PART

PART !!NoAutoRebootWithLoggedOnUsers CHECKBOX
VALUENAME "NoAutoRebootWithLoggedOnUsers"
END PART

PART !!AUOptions DROPDOWNLIST
VALUENAME "AUOptions"
ITEMLIST
NAME !!AU_2 VALUE NUMERIC 2
NAME !!AU_3 VALUE NUMERIC 3
NAME !!AU_4 VALUE NUMERIC 4
END ITEMLIST

END PART

PART "Scheduled Install Day" DROPDOWNLIST
VALUENAME "ScheduledInstallDay"
ITEMLIST
NAME "Every Day"VALUE NUMERIC 0
NAME "Sunday"   VALUE NUMERIC 1
NAME "Monday"   VALUE NUMERIC 2
NAME "Tuesday"  VALUE NUMERIC 3
NAME "Wednesday"VALUE NUMERIC 4
NAME "Thursday" VALUE NUMERIC 5
NAME "Friday"   VALUE NUMERIC 6
NAME "Saturday" VALUE NUMERIC 7
END ITEMLIST
END PART

PART "Scheduled Install Time" NUMERIC
VALUENAME "ScheduledInstallTime"
END PART

PART "Reschedule Wait Time" NUMERIC
VALUENAME "RescheduleWaitTime"
END PART

PART "Use WUServer" CHECKBOX
VALUENAME "UseWUServer"
END PART

END POLICY

POLICY "Server"

KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate"
PART "Updates Server (http://)"
EDITTEXT
VALUENAME "WUServer"
END PART

PART "Status Server (http://)"
EDITTEXT
VALUENAME "WUStatusServer"
END PART

END POLICY

END CATEGORY

[Strings]
WindowsUpdate="Windows Update"
RescheduleWaitTime="(RescheduleWaitTime) After failing to update, how many minutes to 
wait (1-60)"
NoAutoRebootWithLoggedOnUsers="(NoAutoRebootWithLoggedOnUsers) Allow users to defer 
reboot?"
NoAutoUpdate="(NoAutoUpdate) Disable automatic updates?"
AUOptions="(AUOptions) Automatic update mode"
AU_2="(2) Notify of download and installation"
AU_3="(3) Automaticly download and notify of installation"
AU_4="(4) Automatic download and scheduled installation"


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Administrator rights for Windows update?

[Jeramy Eling]

You can use the registry on each machine to set the settings for SUS, the following 
keys can be modified to set the required settings after you have installed the SUS 
client:-

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU (Might need to be created)

NoAutoUpdate
Range = 0|1. 0 = Automatic Updates is enabled (default), 1 = Automatic Updates is 
disabled.
Registry Value Type: Reg_DWORD

AUOptions 
Range = 2|3|4. 2 = notify of download and installation, 3 = automatically download and 
notify of installation, and 4 = automatic download and scheduled installation. All 
options notify the local administrator.
Registry Value Type: Reg_DWORD

ScheduledInstallDay
Range = 0|1|2|3|4|5|6|7. 0 = Every day; 1 through 7 = the days of the week from Sunday 
(1) to Saturday (7). 
Registry Value Type: Reg_DWORD

ScheduledInstallTime 
Range = n; where n = the time of day in 24-hour format (0-23). 
Registry Value Type: Reg_DWORD

UseWUServer
Set this to 1 to enable Automatic Updates to use the server running Software Update 
Services as specified in WUServer below.
Registry Value Type: Reg_DWORD

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

WUServer 
Sets the Software Update Services server by HTTP name (for example, 
http://IntranetSUS).
Registry Value Type: Reg_SZ

WUStatusServer 
Sets the Software Update Services statistics server by HTTP name (for example, 
http://IntranetSUS).
Registry Value Type: Reg_SZ

You use a .reg file and have it applied in a login script in theory. I have done this 
for other applications to make registry changes in the past and it seems to work ok. 
However I have never applied it using a samba server as I am a complete Active 
Directory shop and use GPO instead. There is a document on www.microsoft.com/sus which 
details the deployment of an SUS server.

Hope this helps

Jez

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of Clint Sharp
Sent: 07 May 2004 08:29
To: Andrew Bartlett
Cc: samba; Nicki Messerschmidt
Subject: Re: [Samba] Administrator rights for Windows update?


Andrew Bartlett wrote:

>On Thu, 2004-05-06 at 22:43, Nicki Messerschmidt wrote:
>  
>
>SUS works surprisingly well, but I think you can just set a policy for
>the machines to update themselves automatically from the master site if
>you wish. 
>
>Andrew Bartlett
>
>  
>
We're considering a SUS deployment.  What are you (or others on the 
list) doing to push the policy to tell the clients which SUS server to 
pull the updates from and when?  From the Microsoft documentation I 
read, it appears this is best achieved through GPO, which is obviously 
not an option with a Samba PDC.  I've considered using regmon to see 
what changes GPO writes and adding these to a login script (using runas 
and sanur to install the settings from the login script, like we do for 
most everything that requires admin privs), but I was hoping someone had 
already solved this problem.  Ideas?

Clint
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[Clint Sharp]

Andrew Bartlett wrote:

On Thu, 2004-05-06 at 22:43, Nicki Messerschmidt wrote:
 

SUS works surprisingly well, but I think you can just set a policy for
the machines to update themselves automatically from the master site if
you wish. 

Andrew Bartlett

 

We're considering a SUS deployment.  What are you (or others on the 
list) doing to push the policy to tell the clients which SUS server to 
pull the updates from and when?  From the Microsoft documentation I 
read, it appears this is best achieved through GPO, which is obviously 
not an option with a Samba PDC.  I've considered using regmon to see 
what changes GPO writes and adding these to a login script (using runas 
and sanur to install the settings from the login script, like we do for 
most everything that requires admin privs), but I was hoping someone had 
already solved this problem.  Ideas?

Clint
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[Andrew Bartlett]

On Thu, 2004-05-06 at 22:43, Nicki Messerschmidt wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Thu, 6 May 2004, Paul Gienger wrote:
> > Nicki Messerschmidt, Linksystem Muenchen GmbH wrote:
> >>is it really necessary to add every user to the administrators group to
> >>allow them to update their windows boxes? I really can't believe this...
> > Is it necessary to give root access to install system wide packages in
> > UNIX?  There is really no difference, aside from this being a new
> > concept to long time windows users.   Installing updates requires enough
> > permissions to modify/delete critical system files, and you don't want
> > Joe Schmoe doing that.
> No, but I thought that there might be a service running in the system
> context to automate this whole procedure... And this service should work
> without a sus (security update server)...

SUS works surprisingly well, but I think you can just set a policy for
the machines to update themselves automatically from the master site if
you wish. 

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[Nicki Messerschmidt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 6 May 2004, Paul Gienger wrote:
> Nicki Messerschmidt, Linksystem Muenchen GmbH wrote:
>>is it really necessary to add every user to the administrators group to
>>allow them to update their windows boxes? I really can't believe this...
> Is it necessary to give root access to install system wide packages in
> UNIX?  There is really no difference, aside from this being a new
> concept to long time windows users.   Installing updates requires enough
> permissions to modify/delete critical system files, and you don't want
> Joe Schmoe doing that.
No, but I thought that there might be a service running in the system
context to automate this whole procedure... And this service should work
without a sus (security update server)...


Cheers
Nicki

- -- 
Linksystem Muenchen GmbH [EMAIL PROTECTED]
Schloerstrasse 10  http://www.link-m.de
80634 Muenchen Tel. 089 / 890 518-0
We make the Net work.  Fax 089 / 890 518-77
PGP-Key:
https://www.link-m.de/pgp/n.messerschmidt.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Get keys at: https://www.link-m.de/pgp

iD8DBQFAmjLn6zWc+bXuIEMRAoyfAKDI1H2Kl0m39D8YlAdVmERonwPnfQCeM6Cx
3NHsBeFmo3SMdiYDeDRG6SY=
=1jHZ
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights for Windows update?

[Paul Gienger]

Is it necessary to give root access to install system wide packages in 
UNIX?  There is really no difference, aside from this being a new 
concept to long time windows users.   Installing updates requires enough 
permissions to modify/delete critical system files, and you don't want 
Joe Schmoe doing that.

Nicki Messerschmidt, Linksystem Muenchen GmbH wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi List,
is it really necessary to add every user to the administrators group to
allow them to update their windows boxes? I really can't believe this...

Cheers
Nicki
- -- 
Linksystem Muenchen GmbH [EMAIL PROTECTED]
Schloerstrasse 10  http://www.link-m.de
80634 Muenchen Tel. 089 / 890 518-0
We make the Net work.  Fax 089 / 890 518-77
PGP-Key: 	https://www.link-m.de/pgp/n.messerschmidt.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Get keys at: https://www.link-m.de/pgp

iD8DBQFAmi6J6zWc+bXuIEMRAnNjAKDqT4UP8NVIP0Ew6t2QGa6dQUvJYACfek+A
YwwgmzMloe3iVuYXcxiMbIk=
=swAu
-END PGP SIGNATURE-
 

--
Paul Gienger Office:701-281-1884
Applied Engineering Inc. Cell:  701-306-6254
Information Systems Consultant   Fax:   701-281-1322
URL: www.ae-solutions.commailto:[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator rights for Windows update?

[Nicki Messerschmidt, Linksystem Muenchen GmbH]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi List,
is it really necessary to add every user to the administrators group to
allow them to update their windows boxes? I really can't believe this...



Cheers
Nicki

- -- 
Linksystem Muenchen GmbH [EMAIL PROTECTED]
Schloerstrasse 10  http://www.link-m.de
80634 Muenchen Tel. 089 / 890 518-0
We make the Net work.  Fax 089 / 890 518-77
PGP-Key:
https://www.link-m.de/pgp/n.messerschmidt.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Get keys at: https://www.link-m.de/pgp

iD8DBQFAmi6J6zWc+bXuIEMRAnNjAKDqT4UP8NVIP0Ew6t2QGa6dQUvJYACfek+A
YwwgmzMloe3iVuYXcxiMbIk=
=swAu
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Administrator E-zine

[Dustin Dortch]

Hello All,

I have been talking to some of the team members about an idea that I have 
for a monthly e-zine for Samba Administrators.  This e-zine would provide 
Samba specific solutions, as well as solutions for ansilary Linux tasks and 
service integration, and it would provide help for Windows pertinent 
administration tasks that a Samba Administrator would face.

I am looking for a good core of people to get this going.  If there is 
anyone out there who has been involved with publications, that would be 
great (as this would be my first).

Essentially, we need to nail down a few good regular columns, and get a head 
start on a list of articles that would be for the next few months.  Each 
issue's articles should tie-in together as much as possible.  We also need a 
logo and a good design/layout.

If you are interested, let me know.

Thanks,
Dustin A Dortch
Network+, MCSA/MCSE W2K
[EMAIL PROTECTED]
_
Watch LIVE baseball games on your computer with MLB.TV, included with MSN 
Premium! 
http://join.msn.com/?page=features/mlb&pgmarket=en-us/go/onm00200439ave/direct/01/

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] administrator not root

[Andrew Bartlett]

On Tue, 2004-02-24 at 20:10, Beast wrote:
> Is it possible to have samba adminitrator account with non zero uid?

No.  Not if you want to administer smbpasswd or ldap accounts.

We are working to reduce this restriction, but for now that's the way it
is.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] administrator not root

[Beast]

Is it possible to have samba adminitrator account with non zero uid?
I have a problem with email if admin is root. creating alias in postifx is somehow not 
a good option in my case.
Tks.


--beast

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator and Samba PDC

[Andrew Bartlett]

On Thu, 2004-01-22 at 21:11, rruegner wrote:
> Hi,
> using samba 3 you should add
> a User called Administrator
> and a line called 
> admin users = root, Administrator

As has been mentioned on samba-technical@ recently, this can break the
IPC$ share quite badly.   In any case, root is already uid 0, and you
should not have an 'administrator' too.  Just use root, until we get
ACLs on our LDAP stuff.

This does not impact on who appears to be an admin on the client anyway,
they need to be in the 'domain administrators' mapped group for that.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator and Samba PDC

[Edd Payne]

The "Admin Users" option in smb.conf has (AFAIK) been deprecated in Samba 3.0, 
instead you should create a unix group called "ntadmin" or similar and then 
run

"net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin"

on the *nix box, or man net to learn more about it.

If you are using Samba 2 then the admin users option in smb.conf is the way 
forward, man smb.conf to learn more.

To make a user an administrator on a single workstation, on Windows 2000 go to 
Control Panel > Users and Passwords, then select the user, click 
"Properties", select the "Group Membership" tab and choose "Administrators" 
under Other. If you cant see the user in the list, select "Add" and enter the 
users name and the name of the domain they belong to, then make them a member 
of "Administrators". Note that this only makes them a local admin - to make 
them a domain admin (should you so require) add them to the group on the 
linux box. Windows XP Pro should be the same.

Incidentally, I've still not managed to work out how to do the above on a NT 4 
Workstation box, which is the majority of our workstations here. Does anybody 
have any advice, have I missed something obvious, or is this a new feature in 
Win2k? 

Ta
edd

On Thursday 22 Jan 2004 10:11 am, rruegner wrote:
> Hi,
> using samba 3 you should add
> a User called Administrator
> and a line called
> admin users = root, Administrator
> but i would advice you to use the user root instead of Administrator
> for administration especially if you wanna use usrmgr.
> Best Regards
> - Original Message -
> From: "Robert Brugman" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, January 22, 2004 3:29 AM
> Subject: [Samba] Administrator and Samba PDC
>
> > Hello,
> > I posted yesterday about using samba as a primary domain controller.  I
> > have a couple other issues I need help resolving.
> >
> > I got my profiles copied over, but some things seem different.  For
> > example, Norton Antivirus Corporate doesn't load in the lower right
> > like it does on my local account.  Mainly stuff like that.  The only
> > other issues I am having are with Administrators.  I need to be an
> > administrator on the network, but I'm not sure what I need to do to
> > make myself one.  Also, is it possible to make a user an administrator
> > for just one workstation?  The last issue is with login/logout scripts.
> >   When my user logs in, it executes a batch file that contains calls to
> > change my resolution to 1600x1200.  When I log out, the logoff script
> > tells multires.exe to put it back to 1024x768.  Where would I put this
> > script so that it runs?  Where would I put the logoff script?
> >
> > Thanks SO much in advance!
> >
> > Robert
> > P.S.  Please use the reply-all function of your mail program to reply
> > so it can skip my mail filters and put the much-needed answers right in
> > my mailbox.  Thanks!
> >
> > ~Robert Brugman~
> > This e-mail is X.509 happy ;-)
> > GPG Fingerprint: D710 B8D9 C72A AB56 174F  71AC 3619 9F32 8250 6034
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
Edd Payne
IT Co-ordinator
University of London Union
Malet Street, London WC1E 7HY

tel: 020 7664 2060
fax: 020 7436 4604

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator and Samba PDC

[rruegner]

Hi,
using samba 3 you should add
a User called Administrator
and a line called 
admin users = root, Administrator
but i would advice you to use the user root instead of Administrator
for administration especially if you wanna use usrmgr.
Best Regards
- Original Message - 
From: "Robert Brugman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 3:29 AM
Subject: [Samba] Administrator and Samba PDC


> Hello,
> I posted yesterday about using samba as a primary domain controller.  I 
> have a couple other issues I need help resolving.
> 
> I got my profiles copied over, but some things seem different.  For 
> example, Norton Antivirus Corporate doesn't load in the lower right 
> like it does on my local account.  Mainly stuff like that.  The only 
> other issues I am having are with Administrators.  I need to be an 
> administrator on the network, but I'm not sure what I need to do to 
> make myself one.  Also, is it possible to make a user an administrator 
> for just one workstation?  The last issue is with login/logout scripts. 
>   When my user logs in, it executes a batch file that contains calls to 
> change my resolution to 1600x1200.  When I log out, the logoff script 
> tells multires.exe to put it back to 1024x768.  Where would I put this 
> script so that it runs?  Where would I put the logoff script?
> 
> Thanks SO much in advance!
> 
> Robert
> P.S.  Please use the reply-all function of your mail program to reply 
> so it can skip my mail filters and put the much-needed answers right in 
> my mailbox.  Thanks!
> 
> ~Robert Brugman~
> This e-mail is X.509 happy ;-)
> GPG Fingerprint: D710 B8D9 C72A AB56 174F  71AC 3619 9F32 8250 6034
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator and Samba PDC

[Craig White]

On Wed, 2004-01-21 at 19:29, Robert Brugman wrote:
> Hello,
> I posted yesterday about using samba as a primary domain controller.  I 
> have a couple other issues I need help resolving.
> 
> I got my profiles copied over, but some things seem different.  For 
> example, Norton Antivirus Corporate doesn't load in the lower right 
> like it does on my local account.  Mainly stuff like that.  The only 
> other issues I am having are with Administrators.  I need to be an 
> administrator on the network, but I'm not sure what I need to do to 
> make myself one.  Also, is it possible to make a user an administrator 
> for just one workstation?  The last issue is with login/logout scripts. 
>   When my user logs in, it executes a batch file that contains calls to 
> change my resolution to 1600x1200.  When I log out, the logoff script 
> tells multires.exe to put it back to 1024x768.  Where would I put this 
> script so that it runs?  Where would I put the logoff script?
> 
> Thanks SO much in advance!
> 
> Robert
> P.S.  Please use the reply-all function of your mail program to reply 
> so it can skip my mail filters and put the much-needed answers right in 
> my mailbox.  Thanks!

1 - NAV Corporate Edition has an option to show or not show symbol in
status tray. Use the Symantec Control Panel to make sure it is enabled
(I tend to make these wide choices by applying to the server so that it
propogates to workstations.

2 - Administators is a local group / Domain Admins is the domain group.
Don't know how you are doing the user group management, backend sam,
version of Samba etc. Generally, you would add the users to the specific
groups but if you want a particular user to belong to a computers
Administrators or Power Users group, that is a local setting on each
machine.

3 - Don't know about logoff scripts except as group policy - see how-to
on group policy editing.

Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator and Samba PDC

[Robert Brugman]

Hello,
I posted yesterday about using samba as a primary domain controller.  I 
have a couple other issues I need help resolving.

I got my profiles copied over, but some things seem different.  For 
example, Norton Antivirus Corporate doesn't load in the lower right 
like it does on my local account.  Mainly stuff like that.  The only 
other issues I am having are with Administrators.  I need to be an 
administrator on the network, but I'm not sure what I need to do to 
make myself one.  Also, is it possible to make a user an administrator 
for just one workstation?  The last issue is with login/logout scripts. 
 When my user logs in, it executes a batch file that contains calls to 
change my resolution to 1600x1200.  When I log out, the logoff script 
tells multires.exe to put it back to 1024x768.  Where would I put this 
script so that it runs?  Where would I put the logoff script?

Thanks SO much in advance!

Robert
P.S.  Please use the reply-all function of your mail program to reply 
so it can skip my mail filters and put the much-needed answers right in 
my mailbox.  Thanks!

~Robert Brugman~
This e-mail is X.509 happy ;-)
GPG Fingerprint: D710 B8D9 C72A AB56 174F  71AC 3619 9F32 8250 6034
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator rights in Samba3?

[Gémes Géza]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eivind Trondsen írta:
| Dear list
|
| What exactly does it take to give a user administrator rights in Samba3?
| I have a user who is in the Domain Admin group (which is mapped to a
regular
| unix group) and who is also Domain Administrator (by having the last
digits
| of the SID set to 500.
|
| He is still not allowed to add computers to the domain.
|
| What am I doing wrong?
|
| Regards
As I know, because of the security of UNIX systems only users with
uid=0, typicaly called root are allowed to manipulate user accounts.
Because machine accounts also require a passwd (or LDAP corespondent)
entry, SAMBA follows this policy, so the only users alowed to ad
machines are those with uid=0, so you will need to have root in
smbpasswd or equivalent.
Another issue group SID must end in
512 to be Domain Admins in eyes of Windows!
513 to be Domain Users in eyes of Windows!
514 to be Domain Guests in eyes of Windows!
Regerds

Geza Gemes
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/hsky/PxuIn+i1pIRAr4HAJ9k+6J8w2yujV4C990ddNQoSt/4rgCfWGvl
Av3GUsKeOHwWNsfvUdrx4/4=
=Kh/w
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator rights in Samba3?

[Eivind Trondsen]

Dear list

What exactly does it take to give a user administrator rights in Samba3?
I have a user who is in the Domain Admin group (which is mapped to a regular 
unix group) and who is also Domain Administrator (by having the last digits 
of the SID set to 500.

He is still not allowed to add computers to the domain.

What am I doing wrong?

Regards
-- 
Eivind Trondsen - [EMAIL PROTECTED]

Anyone who is capable of getting themselves made President
should on no account be allowed to do the job.

  -Douglas Adams

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator account: For Windows 2000 and Samba

[Jason Williams]

I know i've asked this before, but I was unable to get a clear response on 
how this works exactly.

As I said before: The Administrator account on Windows machine is there by 
default.
My question is, can I add a Administrator account to samba and make sure 
they are part of the Domain Admins group to ensure that I can still use the 
administrator account to do certain functions on my clients computers?

For instance, the 'Run As' feature as well as logging into the computer as 
the administrator.

I am in the process of testing this, but I wanted to make sure that this in 
fact will work, or if there may be any related problems.

I appreciate the input.

BTW, anyone know the link fo the PDF for Samba 3? I know its still in 
progress, but i'd like to grab an updated version.

Thank you.

Jason

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator right

[stephane . purnelle]

Hello,

I have some laptop connectec to the domain.
When this laptop is standalone (not connected to the LAN), the
Administrateur (or Administrator) connected to the local domain of computer
cannot create local user.

Why ?

Thank you

 Stéphane Purnelle.
---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] administrator rights in samba 2.2.7 +ldap + XP

[Christian Daré]

Hi ,

My system : debian Woody + samba 2.2.7 + openldap .
We are trying to connect with domain administrators rights on a XP pro client .
After tests , all we obtain is users with domain user rights , impossible to have 
domain administrators rights .

We have define in smb.conf : 

Domain Admin group = @Domain Admins
admin users = administrateur 

And we ve defined administrateur user in ldap so we have :

bash$ id administrateur
bash $: uid=0(root) gid=0(root) groupes=0(root),200(Domain Admins)

First question : is it possible to have a domain admin user with ldap authentication ?
Second question : any idea to find the way out this problem ?

Thanks in advance

-- 
**
Christian Daré  
Pole Universitaire de Quimper   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Administrator account samba-3.0alpha21 and LDAP

[Etienne Goyer]

Hi again,

I found answer to my own questions.  For the record, here is what I did:

1. Ran the script smbldap-populate.pl from IDEALX.  This create a lot of
groups and the Administrator account.

2. Change uid of the Administrator to 0.  Otherwise, it gave access
denioed when I tried to create a computer acocunt in the domain.

That's all !

On Thu, Dec 05, 2002 at 10:38:43AM -0500, Etienne Goyer wrote:
> Hi!
> 
> I am setting up a test bed for Samba PDC + LDAP.  I used the 3.0alpha21 
> rpm for RH8 from samba.org. The setup is working.  Win9x client can 
> login no problem.  
> 
> I was wondering how I should setup an "Administrator" account for the
> domain.  Right now, my plan is to have samba authenticate only to the
> ldap backend ("passdb backend = ldapsam" only).  Does  the administrator
> only need write access to the ldap tree or it also need to be root on
> the machine (uidnumber or gidnumber 0) ? What should I put in the rid 
> and primaryGroupID field ?  At the very least, I'd like to be able to
> add machine accounts to the domain with this account.
> 
> Thanks for your input !
> 
> 
> 
> -- 
> Etienne GoyerLinux Québec Technologies Inc.
> http://www.LinuxQuebec.com   [EMAIL PROTECTED]
> PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key 
> Fingerprint: F569 0394 098A FC70 B572  5D20 3129 3D86 8FD5 C853 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
Etienne GoyerLinux Québec Technologies Inc.
http://www.LinuxQuebec.com   [EMAIL PROTECTED]
PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key 
Fingerprint: F569 0394 098A FC70 B572  5D20 3129 3D86 8FD5 C853 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator account samba-3.0alpha21 and LDAP

[Etienne Goyer]

Hi!

I am setting up a test bed for Samba PDC + LDAP.  I used the 3.0alpha21 
rpm for RH8 from samba.org. The setup is working.  Win9x client can 
login no problem.  

I was wondering how I should setup an "Administrator" account for the
domain.  Right now, my plan is to have samba authenticate only to the
ldap backend ("passdb backend = ldapsam" only).  Does  the administrator
only need write access to the ldap tree or it also need to be root on
the machine (uidnumber or gidnumber 0) ? What should I put in the rid 
and primaryGroupID field ?  At the very least, I'd like to be able to
add machine accounts to the domain with this account.

Thanks for your input !



-- 
Etienne GoyerLinux Québec Technologies Inc.
http://www.LinuxQuebec.com   [EMAIL PROTECTED]
PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key 
Fingerprint: F569 0394 098A FC70 B572  5D20 3129 3D86 8FD5 C853 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator problems

[Antony Healey]

Hi,
 
I'm suffering some confusion over how to map the 
W2k Administrator (user/group) into Unix.
 
We have a samba share which is to store 
programs (such as MS Project), and while some programs install fine, others do 
not (MS Project being such).
 
I'm using both "admin users =" and a "username map" 
entry which should be mapping "Administrator" to "root".
 
We keep getting an error of this:    
"open_directory: unable to stat name"
 
When installing using the same client machine to an 
NT file server it works fine. All we can figure is that there's some conflict 
over who/when/where it thinks "Administrator" has permission.
 
Any ideas or suggestions?
Regards,Antony.-Unix Systems 
AdministratorSchool of Computing & ITUniversity of Western 
SydneyPhone: (02) 4736 0771Fax: (02) 4736 0770