[Samba] Domain admins not able to login as Domain adminstartor
Hello All, I have configured samba+Ldap suthentication... All users windows work station are member of the samba domain, and Domain Admins groups is automatically getting mapping to windows work station local administrator group... But here the member of Domain Admin group cannot be login as Admin rights... Please help me to fix this... Thanks Regards, Arun Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admins with Samba 3.024
On 14-Feb-07, at 8:13 AM, Neil Jolly wrote: quote who=[EMAIL PROTECTED] Please read the changelog ! There are many change between 3.0.10 and 3.0.2x In 3.0.2x samba version, privilege are enabled are must be used ! Replying to my own message here to explain, for the sake of others, how I resolved this issue. 1) Backed up /etc/samba 2) Completely removed all the saba rpms. 3) Downloaded the samba src rpm 4) Downloaded any packages needed to satisfy dependancies (postgresql in my case) 5) Built new rpms 6) installed all the previously built rpms with the exception of samba3-vscan, and samba3-winbind (these weren't required in my case) 7) restored /etc/samba 8) I had to rejoin the domain with the test clients after this (not sure why I had to do this) as the previous machine accounts were no longer valid. Since I was still configuring the server, and in the testing stage this was no big deal for me, but for a larger network it may be worth finding a way around this one. No other changes were made, and domain admins are now recognized as administrators on the local client PCs. Thanks for all the replies. I hope this is helpful to someone. Neil Jolly #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
I am having the exact same problem as you. When you say I built fresh rpms, do you mean that you downloaded the srpms and used the rpmbuild command? Could you post what you did in a step by step format. Thanks, Gary On Wed, 2007-02-14 at 21:48 -0700, Neil Jolly wrote: On 14-Feb-07, at 8:13 AM, Neil Jolly wrote: quote who=[EMAIL PROTECTED] Please read the changelog ! There are many change between 3.0.10 and 3.0.2x In 3.0.2x samba version, privilege are enabled are must be used ! I resolved the issue. I built fresh rpms, completely uninstalled the old install of samba, installed the fresh rpms, and restored the configuration files. Worked like a charm this time round. Not sure what the issue whas, but I'm glad to have it resolved. Thanks for the help, and suggestions. Neil Jolly #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
I am having the same problem on 3.23d, had it working fine with on 3.0.10. The users in the domain admin group can add machines to the network but do not have admin rights on the actual PCs' Neil Jolly wrote: I can't seem to get the Domain Admins group members to be recognisd as administrators on domain member PCs.Running net groupmap list yeilds the following: Domain Admins (S-1-5-21-1288424760-4211430746-2168377316-512) - admin --irrelevant groups omitted-- Running net rpc group members Domain Admins yeilds: RLRMR\administrator RLRMR\root Looging in as administrator on a network connected domain member I get only normal restricted user priviledges. What am I missing here folks? Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
On 14-Feb-07, at 4:01 AM, Gareth Cummings wrote: I am having the same problem on 3.23d, had it working fine with on 3.0.10. The users in the domain admin group can add machines to the network but do not have admin rights on the actual PCs' Thanks for confirming this problem. Good to know I'm not alone, but I still need to resolve the issue at some point. This server's not in production as yet, so I'm free to try some changes if anyone has a suggestion. Thanks, Neil Jolly #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
Please read the changelog ! There are many change between 3.0.10 and 3.0.2x In 3.0.2x samba version, privilege are enabled are must be used ! --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Neil Jolly [EMAIL PROTECTED] Envoyé par : [EMAIL PROTECTED] 14/02/2007 15:11 A samba@lists.samba.org cc Objet Re: [Samba] Domain Admins with Samba 3.024 On 14-Feb-07, at 4:01 AM, Gareth Cummings wrote: I am having the same problem on 3.23d, had it working fine with on 3.0.10. The users in the domain admin group can add machines to the network but do not have admin rights on the actual PCs' Thanks for confirming this problem. Good to know I'm not alone, but I still need to resolve the issue at some point. This server's not in production as yet, so I'm free to try some changes if anyone has a suggestion. Thanks, Neil Jolly #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
quote who=[EMAIL PROTECTED] Please read the changelog ! There are many change between 3.0.10 and 3.0.2x In 3.0.2x samba version, privilege are enabled are must be used ! Like this: net rpc rights list accounts -U root%123urin BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned RLRMR\Domain Admins SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned Doesn't work. -- Neil Jolly Jolly Computatations #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 Web: www.jollycom.ca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins with Samba 3.024
On 14-Feb-07, at 8:13 AM, Neil Jolly wrote: quote who=[EMAIL PROTECTED] Please read the changelog ! There are many change between 3.0.10 and 3.0.2x In 3.0.2x samba version, privilege are enabled are must be used ! I resolved the issue. I built fresh rpms, completely uninstalled the old install of samba, installed the fresh rpms, and restored the configuration files. Worked like a charm this time round. Not sure what the issue whas, but I'm glad to have it resolved. Thanks for the help, and suggestions. Neil Jolly #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins with Samba 3.024
I can't seem to get the Domain Admins group members to be recognisd as administrators on domain member PCs.Running net groupmap list yeilds the following: Domain Admins (S-1-5-21-1288424760-4211430746-2168377316-512) - admin --irrelevant groups omitted-- Running net rpc group members Domain Admins yeilds: RLRMR\administrator RLRMR\root Looging in as administrator on a network connected domain member I get only normal restricted user priviledges. What am I missing here folks? Thanks, -- Neil Jolly Jolly Computatations #12 800 Bowcroft Place Cochrane, Alberta Phone: (403) 688-7516 Fax: (403) 851-0873 Web: www.jollycom.ca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Golden Butler wrote: Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called domainadm with user1 a member of the group. When I run net groupmap list I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) - domainadm But when I go to log in to the domain with user1 on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Yes! That was it. Thanks a lot. But now I'm curious. So if I wanted to map my unix users group to Domain Users, what rid would I use, or does it matter? snip I think it does matter, if you check out the samba documentation you will see that Domain Users has the well known rid of 513 so your net command would be something like: net groupmap modify unixgroup=users type=domain ntgroup=Domain Users Obviously you need to replace users with the name of your local users group if it is different. If you have to create the nt group from scratch you don't need to specify a rid unless you want to but I've found that setting the group type to domain seems to make setting group privileges on windows workstations work correctly. Neil -- email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Thanks Neil. I did find some very useful info over at samba.org about this also. -- Delamatrix neil wrote: Yes! That was it. Thanks a lot. But now I'm curious. So if I wanted to map my unix users group to Domain Users, what rid would I use, or does it matter? snip I think it does matter, if you check out the samba documentation you will see that Domain Users has the well known rid of 513 so your net command would be something like: net groupmap modify unixgroup=users type=domain ntgroup=Domain Users Obviously you need to replace users with the name of your local users group if it is different. If you have to create the nt group from scratch you don't need to specify a rid unless you want to but I've found that setting the group type to domain seems to make setting group privileges on windows workstations work correctly. Neil -- email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins
Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called domainadm with user1 a member of the group. When I run net groupmap list I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) - domainadm But when I go to log in to the domain with user1 on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Golden Butler wrote: Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called domainadm with user1 a member of the group. When I run net groupmap list I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) - domainadm But when I go to log in to the domain with user1 on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap It's not clear what you are trying to do. If the Windows user1 is a member of Domain Admins and if Domain Admins have administrative rights on the winxp machine, user1 should have administrative rights on the winxp machine. If the Unix group domainadm has some special privileges on your Samba server, then user1 should be able to exercise those privileges. Neither condition is automatic however. You need to set up the privileges. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Yes! That was it. Thanks a lot. But now I'm curious. So if I wanted to map my unix users group to Domain Users, what rid would I use, or does it matter? - Delamatrix _ From: Neil Muller [mailto:[EMAIL PROTECTED] To: Golden Butler [mailto:[EMAIL PROTECTED] Cc: Samba Mailing List [mailto:[EMAIL PROTECTED] Sent: Wed, 24 May 2006 19:22:48 -0500 Subject: Re: [Samba] Domain Admins Golden Butler wrote: Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called domainadm with user1 a member of the group. When I run net groupmap list I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) - domainadm But when I go to log in to the domain with user1 on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
Also, Is it necessary to group map groups you're using in samba? For example: ntgroup marketing -- unix group marketing ntgroup sales -- unix group sales What are pros and cons to doing this, or is it optional? -- Delamatrix _ From: Neil Muller [mailto:[EMAIL PROTECTED] To: Golden Butler [mailto:[EMAIL PROTECTED] Cc: Samba Mailing List [mailto:[EMAIL PROTECTED] Sent: Wed, 24 May 2006 19:22:48 -0500 Subject: Re: [Samba] Domain Admins Golden Butler wrote: Hi, I'm trying to set up one of my users to be a domain admin. I have unix/ldap group called domainadm with user1 a member of the group. When I run net groupmap list I get the following: Domain Admins (S-1-5-21-186220259-3826000728-3192352269-7033) - domainadm But when I go to log in to the domain with user1 on a winxp machine, the user isn't able to make administrative changes to the computer. Is there something I'm doing wrong? - Delamatrix SLES9-SP3 Samba 3.0.20b Openldap I think you may need to check the rid you have used for the Domain Admins group. According to http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html this is one of the well known rids which must be maintained for correct functioning of the NT groups systems. You have a rid of 7033 and I think it should be 512. Neil -- email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
It works on mine, so the only other things I can think of are 1) is 'password server = pdc_server' in your smb.conf and/or 2) try adding '-w domainname' to the net rpc rights list command in addition to the -U mentioned below. Kirk - Original Message - From: Ivan Ordonez [EMAIL PROTECTED] To: Kirk B. Dice [EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 5:30 PM Subject: Re: [Samba] Domain admins and samba Kirk, I tried that and it did not work, I got the same message. Thanks, -Ivan At 03:11 PM 4/25/2006, you wrote: Put the -U'username%pass' parm on the net rpc rights list command. The username and password should be the PDC's. Kirk - Original Message - From: Ivan Ordonez [EMAIL PROTECTED] To: Asier Baranguan [EMAIL PROTECTED]; samba@lists.samba.org Sent: Tuesday, April 25, 2006 2:18 PM Subject: Re: [Samba] Domain admins and samba I could not use the command net rpc rights list as well. I will get a Could not connect to server 127.0.0.1 message. I can't use rpc command at all. Can someone please point me to the right direction. Thanks, -Ivan At 02:13 PM 4/24/2006, Asier Baranguan wrote: El Lunes, 24 de Abril de 2006 20:28, Ivan Ordonez escribió: I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. I think he refers to this link: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html# id2567877 -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
I could not use the command net rpc rights list as well. I will get a Could not connect to server 127.0.0.1 message. I can't use rpc command at all. Can someone please point me to the right direction. Thanks, -Ivan At 02:13 PM 4/24/2006, Asier Baranguan wrote: El Lunes, 24 de Abril de 2006 20:28, Ivan Ordonez escribió: I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. I think he refers to this link: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2567877 -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
Put the -U'username%pass' parm on the net rpc rights list command. The username and password should be the PDC's. Kirk - Original Message - From: Ivan Ordonez [EMAIL PROTECTED] To: Asier Baranguan [EMAIL PROTECTED]; samba@lists.samba.org Sent: Tuesday, April 25, 2006 2:18 PM Subject: Re: [Samba] Domain admins and samba I could not use the command net rpc rights list as well. I will get a Could not connect to server 127.0.0.1 message. I can't use rpc command at all. Can someone please point me to the right direction. Thanks, -Ivan At 02:13 PM 4/24/2006, Asier Baranguan wrote: El Lunes, 24 de Abril de 2006 20:28, Ivan Ordonez escribió: I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. I think he refers to this link: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html# id2567877 -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. Anything else I should do? Thanks, -Ivan At 07:30 AM 4/22/2006, Josh Kelley wrote: On 4/21/06, Ivan Ordonez [EMAIL PROTECTED] wrote: How can I give a user account the ability to join or add computer to the domain? Are privileges enabled? (enable privileges = yes in smb.conf) If not, then I believe that only root can join computers to the domain. If privileges are enabled, then see Chapter 14 of the Samba HOWTO-Collection for instructions on delegating privileges to your Domain Admins group. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
El Lunes, 24 de Abril de 2006 20:28, Ivan Ordonez escribió: I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. I think he refers to this link: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2567877 -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
On 4/21/06, Ivan Ordonez [EMAIL PROTECTED] wrote: How can I give a user account the ability to join or add computer to the domain? Are privileges enabled? (enable privileges = yes in smb.conf) If not, then I believe that only root can join computers to the domain. If privileges are enabled, then see Chapter 14 of the Samba HOWTO-Collection for instructions on delegating privileges to your Domain Admins group. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain admins and samba
How can I give a user account the ability to join or add computer to the domain? Below are the steps I did but none work: 1. Edit smb.conf file and add the following line. # domain administrators domain admin group = root user1 user2 @sysadmin domain admin users = @sysadmin I have a group called sysadmin on my /etc/group profile and added both user1 and user2. 2. Map the Windows Domain Admins to sysadmin group account using the command below: pcname#net groupmap modify ntgroup=Domain Admins unixgroup=sysadmin 3. Check if the command was successful by using the command below: pcname#net groupmap list Domain Admins (S-1-5-21-1071463269-1754759636-1174686074-512) - sysadmin The above result clearly shows that it was successful and the Domain Admins group is pointing to sysadmin. Thanks for all the help. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
hi, well if i do enable privileges = no and admin users = @myadmins this works intentionally. but jerry is right: there should be no use of uid=0 anymore. greez Günter Gersdorf wrote: Domain Admins are not allowed to modify the ldapsam database via usrmgr. lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. Is this by design? Günter Gersdorf -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric A. Hall wrote: | On 10/18/2005 9:26 AM, Gerald (Jerry) Carter wrote: | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | Günter Gersdorf wrote: | | | Domain Admins are not allowed to modify the ldapsam | | database via usrmgr. | | lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. | | | | Is this by design? | | Yes. It is by design. You have to assign the | SeAddUsersPrivilege to the Domain Admins group. | | Where are the privs stored nowadays? I found lots of references to | privilege[s].tdb but nothing like that seems to exist anywhere. account_pol.tdb cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDVivhIR7qMdg1EfYRAkXGAKCEY2GIWFv9PVeJFVibdbEQhiF2gACgzOUZ tvPaLcmdeltTlZuNdqzXbhM= =CHd2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins can't modify ldapsam entries
Domain Admins are not allowed to modify the ldapsam database via usrmgr. lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. Is this by design? Günter Gersdorf -- Guenter Gersdorf Phone: +49/(0)531/391-7634 Inst. f. Werkzeugmaschinen Fax: -5842 und Fertigungstechnik, TU Braunschweig E-Mail: [EMAIL PROTECTED] Langer Kamp 19b, D-38106 Braunschweighttp://www.iwf.ing.tu-bs.de/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Günter Gersdorf wrote: | Domain Admins are not allowed to modify the ldapsam | database via usrmgr. | lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. | | Is this by design? Yes. It is by design. You have to assign the SeAddUsersPrivilege to the Domain Admins group. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDVPgRIR7qMdg1EfYRAtCyAJ9Ja8CU4/clwoiemo0SShaHBMCKWQCg08wb zKcxIVuCeDyPfC4vbKM/QuM= =y+Jz -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
On 10/18/2005 9:26 AM, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Günter Gersdorf wrote: | Domain Admins are not allowed to modify the ldapsam | database via usrmgr. | lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. | | Is this by design? Yes. It is by design. You have to assign the SeAddUsersPrivilege to the Domain Admins group. Where are the privs stored nowadays? I found lots of references to privilege[s].tdb but nothing like that seems to exist anywhere. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
On Wed, 2005-10-19 at 00:05 -0400, Eric A. Hall wrote: On 10/18/2005 9:26 AM, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Günter Gersdorf wrote: | Domain Admins are not allowed to modify the ldapsam | database via usrmgr. | lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. | | Is this by design? Yes. It is by design. You have to assign the SeAddUsersPrivilege to the Domain Admins group. Where are the privs stored nowadays? I found lots of references to privilege[s].tdb but nothing like that seems to exist anywhere. on my systems, tdb's are stored in /var/cache/samba (RHEL) if slocate is current, you should be able to find it easily enough... locate account_policy.tdb if slocate is not current, execute 'updatedb' first The SeAddUsersPrivilege was added somewhere around 3.0.14 - depends upon which version of samba you are using as to whether command is available. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins can't modify ldapsam entries
On Tuesday 18 October 2005 22:05, Eric A. Hall wrote: On 10/18/2005 9:26 AM, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Günter Gersdorf wrote: | Domain Admins are not allowed to modify the ldapsam | database via usrmgr. | lib/smbldap.c: smbldap_open: cannot access LDAP when not root.. | | Is this by design? Yes. It is by design. You have to assign the SeAddUsersPrivilege to the Domain Admins group. Where are the privs stored nowadays? I found lots of references to privilege[s].tdb but nothing like that seems to exist anywhere. account_policy.tdb - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins
OK, I have RTFM. All the I could find. I cannot seem to set permissions via WINXP Pro explorer. No matter what I do all I get is access denied - even if I own the file. Samba log reveals: [2005/04/20 10:56:08, 2] smbd/open.c:open_file(326) larry opened file xghost.bin read=Yes write=No (numopen=1) [2005/04/20 10:56:08, 3] smbd/process.c:process_smb(1102) Transaction 19 of length 188 [2005/04/20 10:56:08, 3] smbd/process.c:switch_message(893) switch message SMBnttrans (pid 27187) conn 0x8b52b0 [2005/04/20 10:56:08, 3] smbd/nttrans.c:call_nt_transact_set_security_desc(2173) call_nt_transact_set_security_desc: file = xghost.bin, sent 0x4 [2005/04/20 10:56:08, 3] smbd/error.c:error_packet(147) error packet at smbd/nttrans.c(2179) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED Running on Suse 9.2 File system is Reiserfs with mount options acl,user_xattr 1 2 Samba is compiled with acl and ldap support smbd -b HAVE_SYS_ACL_H HAVE_POSIX_ACLS have net groupmap add ntgroup=Domain Admins unixgroup=dpdev which is our IT group. Logged as myself uid=272(larry) gid=544(Administrators) groups=0(root),100(users),101(dpdev),108( vsifax),109(www),200(informix),512(Domain Admins),544(Administrators),1000(dp) I can modify acls using setfacl but not through samba. Even if I log in to windows as Administrator I get the same error. What does it take to be a Samba Domain Admin ver 3.0.15pre2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins group in samba 3.0.7 question
I have a samba 3.0.7 pdc (suse 9.2 pro) and want to automatically add the ntadmins group to the local administrators group on each domain member workstation. The mydomain/Domain Admins group seems to be added automatically to the Administrators group on the local workstation but I can't find a way to either map or directly create members of this group. I have looked a the net groupmap add ... command but it seems to require an existing windows pdc. What makes you think that? The command should be net groupmap add unixgroup=whatever group name ntgroup=something else where the unixgroup parameter is the name of the existing unix group to use and ntgroup is the new name that you want the group to display as in windows. -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins group in samba 3.0.7 question
I have a samba 3.0.7 pdc (suse 9.2 pro) and want to automatically add the ntadmins group to the local administrators group on each domain member workstation. The mydomain/Domain Admins group seems to be added automatically to the Administrators group on the local workstation but I can't find a way to either map or directly create members of this group. I have looked a the net groupmap add ... command but it seems to require an existing windows pdc. What am I missing? The pdc seems to work ok as I can add/remove machines to/from the domain and can logon to the domain using samba users. Any help will be appreciated. Neil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
SOLUTION Re: [Samba] Domain admins not getting local admin rights
OK here's the deal, thanks especially to John for your time today and remedial attention :) My issue, to repeat myself, was that I was logging in as a domain administrator on a Windows box, and while I was domain administrator just fine, I was not having local administrator rights on that box. For example, I could not install software, or change the network connection, things like that which are a pain in the keester. Turns out I had several issues going on, pretty much all relating to the fact that I had simply migrated my samba v2.2 configuration in situ and expected it to just work, and mostly it just did... mostly... 1. I was still using smbpasswd, and needed to move to tdbsam. Apparently I could have done net groupmaps all day and these are ignored if you're not using tdbsam as your authentication mechanism as smbpasswd cannot tie together the SIDS and such which results in users disconnected with their appropriate group memberships. (correct me if I am wrong). So I converted it with: pdbedit -i smbpasswd -e tdbsam This process took all of 2 seconds. 2. I needed to modify the [global] section in my smb.conf to conform to v3 features. For example I did not have the add machine script directive set. I basically copied the one in the impatient section of the howto. I needed to set passdb backend = tdbsam since we're using this now. 3. I probably did not need to, but I stopped samba, blew away my old /var/cache/samba/group_mapping.tdb and restarted samba. 4. I had to remap my groups, since i nuked group_mapping.tdb: net groupmap modify ntgroup=Domain Admins unixgroup=domainadmin 5. I logged out on my windows box as the domain admin user, and logged back in as that same user. Lo and behold, I am local administrator again. Whoo-hoo!!! :) thanks again! mtoal Morgan Toal wrote: Hi there, I switched servers yesterday. The old server was running 2.2.7a-1 on RedHat 8.0. The new server is 3.0.8-0.pre1.3 on Fedora Core 3. I did the migration by copying the following: /etc/passwd /etc/group /etc/shadow /etc/samba/* I then copied /home and fixed all the permissions on stuff. I then started up samba on the new server, and unplugged the old one. Most everything went smoothly, everyone could log in, we did not have to re-join client comptuters to the domain. However, I am not understanding why my domain administrator accounts are now not getting local administrator priveleges when logged in. This always worked fine on Samba 2.2.7a-1! I now cannot, when logged in on a W2K workstation as a domain user called nsu, which is a member of domain admins, modify files in C:\WINNT, or modify the local registry, etc. On a W2K orkstation, In the Local Users and Groups applet I can see that the local Administrators does in fact contain PD/Domain Admins and it gines a partial listing of the group's SID. I cannot confirm if this is the same SID as my SID in samba for Domain Admins. It should be the same, right? Can anyone suggest a tool I could use to confirm this? I *really* don't want to have to add a domain group of people who should be local administrator to the local administrators group on each workstation, as we have quite a number of workstations, so I have not tried this yet... Can someone else suggest something for me to check or try? Thanks! mtoal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain admins not getting local admin rights
Hi there, I switched servers yesterday. The old server was running 2.2.7a-1 on RedHat 8.0. The new server is 3.0.8-0.pre1.3 on Fedora Core 3. I did the migration by copying the following: /etc/passwd /etc/group /etc/shadow /etc/samba/* I then copied /home and fixed all the permissions on stuff. I then started up samba on the new server, and unplugged the old one. Most everything went smoothly, everyone could log in, we did not have to re-join client comptuters to the domain. However, I am not understanding why my domain administrator accounts are now not getting local administrator priveleges when logged in. This always worked fine on Samba 2.2.7a-1! I now cannot, when logged in on a W2K workstation as a domain user called nsu, which is a member of domain admins, modify files in C:\WINNT, or modify the local registry, etc. On a W2K orkstation, In the Local Users and Groups applet I can see that the local Administrators does in fact contain PD/Domain Admins and it gines a partial listing of the group's SID. I cannot confirm if this is the same SID as my SID in samba for Domain Admins. It should be the same, right? Can anyone suggest a tool I could use to confirm this? I *really* don't want to have to add a domain group of people who should be local administrator to the local administrators group on each workstation, as we have quite a number of workstations, so I have not tried this yet... Can someone else suggest something for me to check or try? Thanks! mtoal - [EMAIL PROTECTED] ~]# net groupmap list System Operators (S-1-5-32-549) - -1 Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) - -1 Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) - domainadmin Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) - -1 Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) - -1 Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) - -1 Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - domainadmin Administrators (S-1-5-32-544) - domainadmin cid (S-1-5-21-2634632689-992284068-1313363551-2045) - cid Account Operators (S-1-5-32-548) - -1 seint (S-1-5-21-2634632689-992284068-1313363551-2157) - seint Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 - [EMAIL PROTECTED] ~]# cat /etc/samba/smb.conf log level = 4 netbios name = pd1 workgroup = pd os level = 200 preferred master = no domain master = yes local master = no wins support = no wins server = 192.168.18.14 name resolve order = wins lmhosts enhanced browsing = no security = user encrypt passwords = yes domain logons = yes logon path = logon drive = Z: logon home = \\%L\%u logon script = logon.bat add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u use client driver = yes host msdfs = yes guest account = guest map to guest = bad user username map = /etc/samba/smbusers admin users = @domainadmin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins don't have enough privileges
This did not work this way for Samba 2.2.x -- it was not good enough to use admin users = to my knowledge. Has this changed, or was I mistaken to begin with? _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III |$| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 On Mon, 27 Dec 2004, Gémes Géza wrote: Bostjan Müller írta: On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza [EMAIL PROTECTED] wrote: Bostjan Müller írta: Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain). As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions. Good Luck! Geza Thx, but I also tried that, and the problem was, that if I added the users to root line of smbusers: root = user1, user2, user3 They would all map to user root, even using the same password as root (not their own) to authenticate, which is of no use to me, because I want to have users that do NOT have the root password. -- buhdej evridej You don't need to do anything with the smbusers file! Just specify: admin users = user1, user2, user3 or better: admin users = @somegroup in the [Global] section of your smb.conf and if you are paranoid (like me ;-) ) specify admin users = root on every share definition Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins don't have enough privileges
Ryan Novosielski írta: This did not work this way for Samba 2.2.x -- it was not good enough to use admin users = to my knowledge. Has this changed, or was I mistaken to begin with? _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III |$| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 On Mon, 27 Dec 2004, Gémes Géza wrote: Bostjan Müller írta: On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza [EMAIL PROTECTED] wrote: Bostjan Müller írta: Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain). As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions. Good Luck! Geza Thx, but I also tried that, and the problem was, that if I added the users to root line of smbusers: root = user1, user2, user3 They would all map to user root, even using the same password as root (not their own) to authenticate, which is of no use to me, because I want to have users that do NOT have the root password. -- buhdej evridej You don't need to do anything with the smbusers file! Just specify: admin users = user1, user2, user3 or better: admin users = @somegroup in the [Global] section of your smb.conf and if you are paranoid (like me ;-) ) specify admin users = root on every share definition Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba That setup works fine for me (last time checked with 3.0.8 (it was the then current version, when I last joined a w2k box to the domain)) Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins don't have enough privileges
Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan -- buhdej evridej -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins don't have enough privileges
Bostjan Müller írta: Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain). As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions. Good Luck! Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins don't have enough privileges
On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza [EMAIL PROTECTED] wrote: Bostjan Müller írta: Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain). As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions. Good Luck! Geza Thx, but I also tried that, and the problem was, that if I added the users to root line of smbusers: root = user1, user2, user3 They would all map to user root, even using the same password as root (not their own) to authenticate, which is of no use to me, because I want to have users that do NOT have the root password. -- buhdej evridej -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins don't have enough privileges
Bostjan Müller írta: On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza [EMAIL PROTECTED] wrote: Bostjan Müller írta: Hi everyone, I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain. I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root. I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account. Can someone please explain to me what else has to be done for this to work? THX in advance, Bostjan By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain). As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions. Good Luck! Geza Thx, but I also tried that, and the problem was, that if I added the users to root line of smbusers: root = user1, user2, user3 They would all map to user root, even using the same password as root (not their own) to authenticate, which is of no use to me, because I want to have users that do NOT have the root password. -- buhdej evridej You don't need to do anything with the smbusers file! Just specify: admin users = user1, user2, user3 or better: admin users = @somegroup in the [Global] section of your smb.conf and if you are paranoid (like me ;-) ) specify admin users = root on every share definition Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins not being applied to windows box
Hi, I have recently upgaded from samba 2.2 to samba 3.0. I used to have domain admin group = @winadmin in my smb.conf, but I understand from the documentation that it is deprecated in favour of net groupmap set Domain Admin winadmin. I would expect unix users who are members of the unix group winadmin to become Domain Admins, then, but they don't ?. Do I understand this correctly that unix users that are a member of the unix group winadmin then will be advertised as being a member of the NT Group Domain Admins to windows machines? The windows box applies whatever permissions the Domain Admins have for this box, by default Administrator? My server is a debian gnu/linux box in a test environment. My windows machine(s) are run within vmware, windows XP and 2k. Details: * snip ** on the server the groupmapping is as follows: [EMAIL PROTECTED]:~# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-520677601-194623159-390525435-513) - cnw Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) - winadmin Domain Users (S-1-5-21-520677601-194623159-390525435-3005) - cnw Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - winadmin Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-520677601-194623159-390525435-514) - -1 Domain Admins (S-1-5-21-520677601-194623159-390525435-512) - winadmin Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - winadmin On windows it seems to accept that ish: (intented to copy and paste from a msdos box but failed miserably so here's the written out extract ;) ) c:\net user cnw /DOMAIN blurb Local Group Memberships *dialout - WTF??? Global Group memberships *Domain Users *Domain Admins The command completed sucessfully. c:\ * Doesn't above mean I should be administrator (when logged in as cnw)? (And before you ask, cnw *is* a member of winadmin ;) ) However, if I try to open the TCP/IP properties windows tells me that I do not have access... I am new to samba 3.0 and so far only read the publicly available documentation, so I would like to double check whether I understand this correctly. Thank you, Conrad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins not being applied to windows box
If you look at your group mapping list, you have duplicates for Domain Users and Domain Admins. Delete these mappings with the net groupmap command (you may have to delete each twice) and then re-add them. The SIDs should be the -5xx ones, not -1219 or -3005 Conrad Wood wrote: Hi, I have recently upgaded from samba 2.2 to samba 3.0. I used to have domain admin group = @winadmin in my smb.conf, but I understand from the documentation that it is deprecated in favour of net groupmap set Domain Admin winadmin. I would expect unix users who are members of the unix group winadmin to become Domain Admins, then, but they don't ?. Do I understand this correctly that unix users that are a member of the unix group winadmin then will be advertised as being a member of the NT Group Domain Admins to windows machines? The windows box applies whatever permissions the Domain Admins have for this box, by default Administrator? My server is a debian gnu/linux box in a test environment. My windows machine(s) are run within vmware, windows XP and 2k. Details: * snip ** on the server the groupmapping is as follows: [EMAIL PROTECTED]:~# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-520677601-194623159-390525435-513) - cnw Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) - winadmin Domain Users (S-1-5-21-520677601-194623159-390525435-3005) - cnw Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - winadmin Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-520677601-194623159-390525435-514) - -1 Domain Admins (S-1-5-21-520677601-194623159-390525435-512) - winadmin Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - winadmin On windows it seems to accept that ish: (intented to copy and paste from a msdos box but failed miserably so here's the written out extract ;) ) c:\net user cnw /DOMAIN blurb Local Group Memberships *dialout - WTF??? Global Group memberships *Domain Users *Domain Admins The command completed sucessfully. c:\ * Doesn't above mean I should be administrator (when logged in as cnw)? (And before you ask, cnw *is* a member of winadmin ;) ) However, if I try to open the TCP/IP properties windows tells me that I do not have access... I am new to samba 3.0 and so far only read the publicly available documentation, so I would like to double check whether I understand this correctly. Thank you, Conrad -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins not being applied to windows box
D'uh! Thanks for pointing that out ;) It works well now. The bit that got me confused was section 11.2 in the samba manual. The sample commands there, if typed in as they are, actually create another Domain Admins group ;( Maybe that could be explained a bit better, such as section 11.2 *** 3. Create the Domain Admins group and map it to the unixgroup domadm by running... Thanks a lot, Conrad On Tue, 2004-08-03 at 13:36, Paul Gienger wrote: If you look at your group mapping list, you have duplicates for Domain Users and Domain Admins. Delete these mappings with the net groupmap command (you may have to delete each twice) and then re-add them. The SIDs should be the -5xx ones, not -1219 or -3005 Conrad Wood wrote: Hi, I have recently upgaded from samba 2.2 to samba 3.0. I used to have domain admin group = @winadmin in my smb.conf, but I understand from the documentation that it is deprecated in favour of net groupmap set Domain Admin winadmin. I would expect unix users who are members of the unix group winadmin to become Domain Admins, then, but they don't ?. Do I understand this correctly that unix users that are a member of the unix group winadmin then will be advertised as being a member of the NT Group Domain Admins to windows machines? The windows box applies whatever permissions the Domain Admins have for this box, by default Administrator? My server is a debian gnu/linux box in a test environment. My windows machine(s) are run within vmware, windows XP and 2k. Details: * snip ** on the server the groupmapping is as follows: [EMAIL PROTECTED]:~# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-520677601-194623159-390525435-513) - cnw Domain Admins (S-1-5-21-520677601-194623159-390525435-1219) - winadmin Domain Users (S-1-5-21-520677601-194623159-390525435-3005) - cnw Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - winadmin Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-520677601-194623159-390525435-514) - -1 Domain Admins (S-1-5-21-520677601-194623159-390525435-512) - winadmin Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - winadmin On windows it seems to accept that ish: (intented to copy and paste from a msdos box but failed miserably so here's the written out extract ;) ) c:\net user cnw /DOMAIN blurb Local Group Memberships *dialout - WTF??? Global Group memberships *Domain Users *Domain Admins The command completed sucessfully. c:\ * Doesn't above mean I should be administrator (when logged in as cnw)? (And before you ask, cnw *is* a member of winadmin ;) ) However, if I try to open the TCP/IP properties windows tells me that I do not have access... I am new to samba 3.0 and so far only read the publicly available documentation, so I would like to double check whether I understand this correctly. Thank you, Conrad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins and Samba 3.0.2
Hi I've been running Samba 2.x for years but decided to move up to 3.0.2. I've set up a new samba server with a workgroup NEWBIOSS and netbios name PARETO. Im having problems setting up my domain admins. I used 'net groupmap modify Domain Admins unixgroup=domadmin' my 'net groupmap list' shows : System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-1375496003-1846269575-2512961765-513) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Admins (S-1-5-21-1375496003-1846269575-2512961765-512) - domadmin Backup Operators (S-1-5-32-551) - -1 Domain Guests (S-1-5-21-1375496003-1846269575-2512961765-514) - -1 Users (S-1-5-32-545) - -1 net getlocalsid SID for domain PARETO is: S-1-5-21-1375496003-1846269575-2512961765 ypcat group |grep domadmin domadmin:*:60:janet,myles,alec user janet is in group 60 On the PC (Win 2K) it says : You are logged in as NEWBIOSS\janet, which is not a member of the Administrators group But when I check under 'Local Users and Groups' Administrator properties, it includes NEWBIOSS\Domain Admins(S-1-5-21-1375496003-184... I've checked out the thread about domain admins in January, but cannot see where I'm going wrong. I've been running samba 2.2.5 with 'domain admin group = root @domadmin' in smb.conf for ages with no problems Can anyone help ? I have a huge level 3 debug if anyone can understand it. Janet * Janet Dickson| http://www.bioss.ac.uk/~janet Biomathematics Statistics Scotland | email: [EMAIL PROTECTED] The King's Buildings, Mayfield Rd| Telephone: +44 (0) 131 650 4888 Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 * -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins and Samba 3.0.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Janet Dickson írta: | Hi | | I've been running Samba 2.x for years but decided to move up to 3.0.2. | I've set up a new samba server with a workgroup NEWBIOSS and netbios | name PARETO. | Im having problems setting up my domain admins. | I used | 'net groupmap modify Domain Admins unixgroup=domadmin' | | my 'net groupmap list' shows : | System Operators (S-1-5-32-549) - -1 | Replicators (S-1-5-32-552) - -1 | Guests (S-1-5-32-546) - -1 | Domain Users (S-1-5-21-1375496003-1846269575-2512961765-513) - -1 | Power Users (S-1-5-32-547) - -1 | Print Operators (S-1-5-32-550) - -1 | Administrators (S-1-5-32-544) - -1 | Account Operators (S-1-5-32-548) - -1 | Domain Admins (S-1-5-21-1375496003-1846269575-2512961765-512) - domadmin | Backup Operators (S-1-5-32-551) - -1 | Domain Guests (S-1-5-21-1375496003-1846269575-2512961765-514) - -1 | Users (S-1-5-32-545) - -1 | | net getlocalsid | SID for domain PARETO is: S-1-5-21-1375496003-1846269575-2512961765 | | ypcat group |grep domadmin | domadmin:*:60:janet,myles,alec | | user janet is in group 60 | | On the PC (Win 2K) it says : | You are logged in as NEWBIOSS\janet, which is not a member of the | Administrators group | | But when I check under 'Local Users and Groups' Administrator | properties, it includes | NEWBIOSS\Domain Admins(S-1-5-21-1375496003-184... | | I've checked out the thread about domain admins in January, but cannot | see where I'm going wrong. I've been running samba 2.2.5 with | 'domain admin group = root @domadmin' in smb.conf for ages with no problems | | Can anyone help ? | | I have a huge level 3 debug if anyone can understand it. | | Janet Hi, You haven't mapped your Domain Users, and Domain Guests group, which could confuse your Windows clients Cheers, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAYuIJ/PxuIn+i1pIRAgnCAJ9cm0CuBc0GHerpjvp0irmBDXZ5LQCfbD16 EfkZ8X03A37HlllhxYwoZFg= =GhLG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins and Samba 3.0.2
Gémes Géza wrote: Hi, You haven't mapped your Domain Users, and Domain Guests group, which could confuse your Windows clients That has made no difference. I've restarted samba, rejoined the PC to the domain, still says I'm not a memeber of the Admin group. By the way, when I run 'smbstatus -b' all I get is sessionid.tdb not initialised Janet * Janet Dickson| http://www.bioss.ac.uk/~janet Biomathematics Statistics Scotland | email: [EMAIL PROTECTED] The King's Buildings, Mayfield Rd| Telephone: +44 (0) 131 650 4888 Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 * -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins no longer recognized after reboot?
Ok- very odd behavior here. Our Samba 3.0.0 server was happy as a clam, domain admins were recognized by client systems. We rebooted the server recently- the only real change we've made to it- and now, domain admins aren't recognized. However, I was able to use a user who is supposed to be a domain admin to join a machine to the domain(!) Imagine my surprise when Windows Update said Administrators Only! Same thing on an 'old' box; it no longer recognizes me as a domain admin. The RID for Domain Administrator matches- 512, according to 'net groupmap list'. From a Win2k Server, using usrmgr, I can verify that the groups exist, and the users I'm expecting to be in the admin group(s) are. What else should I check? We've got System Operators, Domain Admins, and Administrators all mapped to the unix group domadm, and this setup was working fine. I'm stumped... Thanks! Brett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins no longer recognized after reboot?
Ok- very odd behavior here. Our Samba 3.0.0 server was happy as a clam, domain admins were recognized by client systems. We rebooted the server recently- the only real change we've made to it- and now, domain admins aren't recognized. However, I was able to use a user who is supposed to be a domain admin to join a machine to the domain(!) Imagine my surprise when Windows Update said Administrators Only! Same thing on an 'old' box; it no longer recognizes me as a domain admin. The RID for Domain Administrator matches- 512, according to 'net groupmap list'. From a Win2k Server, using usrmgr, I can verify that the groups exist, and the users I'm expecting to be in the admin group(s) are. What else should I check? We've got System Operators, Domain Admins, and Administrators all mapped to the unix group domadm, and this setup was working fine. I'm stumped... Thanks! Brett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins?
Hello all, Let me say first I'm very new to Linux (only had it running 3 days), so bear with me if I'm a bit ignorant. I'm unsure if I should even post this here, or if this list is exclusively for hardware issues... I'm running into difficulties (on a win2k client) adding the Samba Domain Admins group to the Windows Administrators group. I am able to log into the domain, the Domain Admins group shows in the list of available groups from the Samba server, but when I click Apply I receive the message: A member could not be added to or removed from the local group because the member does not exist I'm fairly certain I followed the setup correctly; I added a group called domadm to the etc/group file and added a user to that group using usermod. I've tried several configurations in smb.conf with domain admin group and domain admin users including: 1. domain admin group = @domadm 2. domain admin group = root @domadm 3. domain admin group = @domadm domain admin users = root For the record I'm it's a brand new stable installation on a Performa 6400/180, the Windows machine is running win2k professional with all updates from windows update. I doubt that hardware makes a difference, but if you need to know, ask. Sorry if this has been long winded, I appreciate any help anybody can offer. Lastly, let me say I'm very impressed by Debian, and Linux as a whole. I look forward to learning much more, and hope I can soon make my own contributions... Thanks in advance for your help. Wyatt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins?
The good news are, that you don't relly need it, because, when you log in to a domain as member of the Domain Admins group, you will automaticaly receive Local Administrator priviledges on the given workstation. It's working for me. Best Regards Geza Gemes - Original Message - From: Wyatt L. VanderStucken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 27, 2002 7:19 PM Subject: [Samba] Domain Admins? Hello all, Let me say first I'm very new to Linux (only had it running 3 days), so bear with me if I'm a bit ignorant. I'm unsure if I should even post this here, or if this list is exclusively for hardware issues... I'm running into difficulties (on a win2k client) adding the Samba Domain Admins group to the Windows Administrators group. I am able to log into the domain, the Domain Admins group shows in the list of available groups from the Samba server, but when I click Apply I receive the message: A member could not be added to or removed from the local group because the member does not exist I'm fairly certain I followed the setup correctly; I added a group called domadm to the etc/group file and added a user to that group using usermod. I've tried several configurations in smb.conf with domain admin group and domain admin users including: 1. domain admin group = @domadm 2. domain admin group = root @domadm 3. domain admin group = @domadm domain admin users = root For the record I'm it's a brand new stable installation on a Performa 6400/180, the Windows machine is running win2k professional with all updates from windows update. I doubt that hardware makes a difference, but if you need to know, ask. Sorry if this has been long winded, I appreciate any help anybody can offer. Lastly, let me say I'm very impressed by Debian, and Linux as a whole. I look forward to learning much more, and hope I can soon make my own contributions... Thanks in advance for your help. Wyatt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins
Hello All! Im trying to troubleshoot a domain admin problem and Im stuck at a log error msg. The log says the following: get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that My goal is so that anyone in the Domain Admins group (by default) have administrative access to all member pcs of the domain. Currently, the pcs dont recognize any of the domain admins Ive set according to man smbgroupedit. Anyone out there have a clue. Mucho Thanks! IRV FYI: My version of Samba is 2.999+3.0.alpha20-2
RE: [Samba] Domain Admins
Update: When I run smbgroupedit l the Domain Admins group shows the following: Domain Admins SID : S-1-5-21-2879687004-3117605197-2714178016-512 Unix group: domainadmins Group type: Unknown type Comment : Privilege : SaAddUsers SeMachineAccountPrivilege SaPrintOp Why is Group type listed as Unknown type. Could this be the source of my problem? Any help much appreciated! IRV -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Irving Carrion Sent: Friday, October 11, 2002 12:41 PM To: [EMAIL PROTECTED] Subject: [Samba] Domain Admins Hello All! Im trying to troubleshoot a domain admin problem and Im stuck at a log error msg. The log says the following: get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that My goal is so that anyone in the Domain Admins group (by default) have administrative access to all member pcs of the domain. Currently, the pcs dont recognize any of the domain admins Ive set according to man smbgroupedit. Anyone out there have a clue. Mucho Thanks! IRV FYI: My version of Samba is 2.999+3.0.alpha20-2
RE: [Samba] Domain Admins
Bradley W. Lanhorst wrote, how are you assessing whether this is working or not? i consider the mapping to work if i can specify one of my domain groups as a part of a local group and the rsop tool says that a member of that group has the appropriate permissions.. everything you've shown looks good to me - how do you know if it is working or not? Brad Brad, when I was running an NT network or Samba Version 2.2.3a it worked fine. That is to say all domain admins where able to log in as admin to all pc's who where members of the domain. Now, I can go to each PC and specify that user1 be local admin, but something tells me there is another way. For example, if lets say I install a new pc with Win2k pro and then join it to the domain. Now I log in as a domain admin. When I perform a Windows Update, it says that only administrators can update the pc. So, why is it that this PC does not know I am a domain admin. Sorry but what is rsop tool? Thanks for your help...really appreciate it! IRV -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Bradley W. Langhorst wrote, I can't explain that - maybe somebody else who knows can chime in... I don't think it makes sense for a Domain Admin to automatically have Local adminstrative rights... brad This is what I read from: Mastering Windows NT Server 4 6th Edition page 375 By default, the built-in Domain Admins global group is a member of both the domain's Administrators local group and the Administrators local groups for every NT workstation in the domain. So, I wonder if this has been removed in the new version of SAMBA or if it no longer does this by default? Anyone know anything about this? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins
Hello All!! We just recently upgraded our SAMBA server from 2.2.3a to 2.999+3.0cvs20. Minor problems have aroused. One of which is Domain Admins. For some reason I (Domain Admin) don't have administrative privileges on any PC on the network. What have I screwed up? I've posted my smb.conf below. Really appreciate any help! Thanks! //BEGIN SMB.CONF # Global parameters [global] workgroup = OURDOMAIN.COM netbios name = SAMBA server string = %h server (Samba %v) security = user encrypt passwords = true #passdb backend = tdbsam unixsam passdb backend = tdbsam:/etc/samba/passdb.tdb unixsam null passwords = Yes passwd program = /usr/bin/passwd %u # debuglevel = 10 non unix account range = 1-2 #add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain admin group = domadm admin users = domadm add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u logon script = logonscript.bat logon path = logon home = domain logons = Yes os level = 64 preferred master = True domain master = True dns proxy = No wins support = Yes hosts allow = 127.0.0.1/255.255.255.0, 192.0.0.0/255.255.255.0, 193.0.0.0/255.255.255.0, 194.0.0.0/255.255.255.0, 195.0.0.0/255.255.255.0, 196.0.0.0/ 255.255.255.0, 197.0.0.0/255.255.255.0, 198.0.0.0/255.255.255.0, 199.0.0.0/255.255.255.0 printcap name = lpstat printing = cups use client driver = Yes print command = lp -d%p -oraw %s; rm %s lpq command = lpstat -o%p lprm command = cancel %p-%j queuepause command = disable %p queueresume command = enable %p printer admin = wheel #use spnego = no [homes] comment = Home Directories read only = No create mask = 0775 directory mask = 0775 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No [printers] comment = All Printers path = /tmp printable = Yes browseable = No show add printer wizard = yes [aisfax] comment = AIS Fax path = /tmp lpq command = /usr/local/smbfax/smbfax show lprm command = /usr/local/smbfax/smbfax dequeue %j print command = /usr/local/smbfax/smbfax -r queue %u %s queuepause command = /bin/true queueresume command = /bin/true postscript = true browseable = yes printable = yes writable = no create mode = 0700 printing = cups guest ok = yes //END SMB.CONF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
If you reply to unrelated threads your message gets sorted with those in many mail clients... that means that some people won't see your message unless they're following that thread (in this case the Firewall Effects on Samba thread On Mon, 2002-10-07 at 10:04, Irving Carrion wrote: Hello All!! We just recently upgraded our SAMBA server from 2.2.3a to 2.999+3.0cvs20. Minor problems have aroused. One of which is Domain Admins. For some reason I (Domain Admin) don't have administrative privileges on any PC on the network. What have I screwed up? I'm pretty sure that the domain admins parameter is not working anymore... Instead you need to use the new smbgroupedit to map a unix group to the domain admins group good luck brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Admins
Yes I'm using using smbgroupedit and have read man smbgroupedit. Is their anyone in the list that has Domain Admins working on Samba Version 2.999+3.0cvs20. -Original Message- From: Bradley W. Langhorst [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 11:08 AM To: Irving Carrion Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Domain Admins On Mon, 2002-10-07 at 10:04, Irving Carrion wrote: Hello All!! We just recently upgraded our SAMBA server from 2.2.3a to 2.999+3.0cvs20. Minor problems have aroused. One of which is Domain Admins. For some reason I (Domain Admin) don't have administrative privileges on any PC on the network. What have I screwed up? I'm pretty sure that the domain admins parameter is not working anymore... Instead you need to use the new smbgroupedit to map a unix group to the domain admins group good luck brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
I've read man smbgroupedit many times, over and over and OVER, and have done step by step per the man page with no luck. I thought maybe it would be easier for one to help if they saw what I was doing. So I posted a partial listing of group,passwd,smb.conf below. Plz, plz, really need some help with this! Thanks! IRV I have Samba Version 2.999+3.0.alpha from the debian unstable archives. //BEGIN /ETC/GROUP domainadmins:x:1001:administrator,user1,user2 //END /ETC/GROUP //BEGIN /ETC/PASSWD administrator:x:1218:1001:Administrator,,,:/home/administrator:/bin/bash user1:x:1219:1001:User 1,,,:/home/user1:/bin/bash user2:x:1220:1001:User 2,,,:/home/user2:/bin/bash //END /ETC/PASSWD HERE IS THE OUTPUT of smbgroupedit -vs | grep Domain Admins Domain Admins (S-1-5-21-2879687004-3117605197-2714178016-512) - domainadmins //BEGIN SMB.CONF # Global parameters [global] workgroup = DOMAIN1.COM netbios name = SAMBA server string = %h server (Samba %v) security = user encrypt passwords = true passdb backend = tdbsam:/etc/samba/passdb.tdb unixsam null passwords = Yes passwd program = /usr/bin/passwd %u non unix account range = 1-2 add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 admin users = domainadmins add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u logon script = logonscript.bat logon path = logon home = logon drive = domain logons = Yes os level = 64 preferred master = True domain master = True dns proxy = No wins support = Yes //END SMB.CONF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Here is the output of smbgroupedit -td NT group (SID) - Unix group Domain Guests (S-1-5-21-2879687004-3117605197-2714178016-514) - -1 domainadmins (S-1-5-21-2879687004-3117605197-2714178016-3003) - domainadmins I just rem'd out (admin users = @domainadmins) with no luck. Do you have any other suggestions? -Original Message- From: Bradley W. Langhorst [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 5:53 PM To: Irving Carrion Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Domain Admins On Mon, 2002-10-07 at 17:38, Irving Carrion wrote: I've read man smbgroupedit many times, over and over and OVER, and have done step by step per the man page with no luck. I thought maybe it would be easier for one to help if they saw what I was doing. So I posted a partial listing of group,passwd,smb.conf below. Plz, plz, really need some help with this! Thanks! IRV I have Samba Version 2.999+3.0.alpha from the debian unstable archives. //BEGIN /ETC/GROUP domainadmins:x:1001:administrator,user1,user2 //END /ETC/GROUP //BEGIN /ETC/PASSWD administrator:x:1218:1001:Administrator,,,:/home/administrator:/bin/bash user1:x:1219:1001:User 1,,,:/home/user1:/bin/bash user2:x:1220:1001:User 2,,,:/home/user2:/bin/bash //END /ETC/PASSWD HERE IS THE OUTPUT of smbgroupedit -vs | grep Domain Admins Domain Admins (S-1-5-21-2879687004-3117605197-2714178016-512) - domainadmins did you make your domain admins a domain group with -td? just run smbgroupedit -td to see the domain groups... admin users = @domainadmins have you tried without this line? how are you assessing whether this is working or not? i consider the mapping to work if i can specify one of my domain groups as a part of a local group and the rsop tool says that a member of that group has the appropriate permissions... i'm not using domain admins - do you maybe need to add it the local admins group? brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
On Mon, 2002-10-07 at 17:59, Irving Carrion wrote: Here is the output of smbgroupedit -td NT group (SID) - Unix group Domain Guests (S-1-5-21-2879687004-3117605197-2714178016-514) - -1 domainadmins (S-1-5-21-2879687004-3117605197-2714178016-3003) - domainadmins I just rem'd out (admin users = domainadmins) with no luck. Do you have any other suggestions? how are you assessing whether this is working or not? i consider the mapping to work if i can specify one of my domain groups as a part of a local group and the rsop tool says that a member of that group has the appropriate permissions.. everything you've shown looks good to me - how do you know if it is working or not? brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain admins, and workstation software install permissions
Hello - 1) Can I set up a group whose members are automatically able to install software on all workstations in the samba domain? 2) Does domain admins group confer to its members file access to all samba shares? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain admins, and workstation software install permissions
On Thu, May 30, 2002 at 02:40:14AM -0400, lists wrote: Hello - 1) Can I set up a group whose members are automatically able to install software on all workstations in the samba domain? Yes (see 'domain admin group') 2) Does domain admins group confer to its members file access to all samba shares? No (see 'admin users') Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
