Re: [Samba] Domain Admins?
The good news are, that you don't relly need it, because, when you log in to a domain as member of the Domain Admins group, you will automaticaly receive Local Administrator priviledges on the given workstation. It's working for me. Best Regards Geza Gemes - Original Message - From: "Wyatt L. VanderStucken" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 27, 2002 7:19 PM Subject: [Samba] Domain Admins? > Hello all, > > Let me say first I'm very new to Linux (only had it running 3 days), so > bear with me if I'm a bit ignorant. I'm unsure if I should even post > this here, or if this list is exclusively for hardware issues... > > I'm running into difficulties (on a win2k client) adding the Samba > "Domain Admins" group to the Windows "Administrators" group. I am able > to log into the domain, the "Domain Admins" group shows in the list of > available groups from the Samba server, but when I click "Apply" I > receive the message: > > "A member could not be added to or removed from the local group because > the member does not exist" > > I'm fairly certain I followed the setup correctly; I added a group > called "domadm" to the etc/group file and added a user to that group > using usermod. I've tried several configurations in smb.conf with > "domain admin group" and "domain admin users" including: > > 1. domain admin group = @domadm > > 2. domain admin group = root @domadm > > 3. domain admin group = @domadm >domain admin users = root > > For the record I'm it's a brand new "stable" installation on a Performa > 6400/180, the Windows machine is running win2k professional with all > updates from windows update. I doubt that hardware makes a difference, > but if you need to know, ask. > > Sorry if this has been long winded, I appreciate any help anybody can > offer. Lastly, let me say I'm very impressed by Debian, and Linux as a > whole. I look forward to learning much more, and hope I can soon make my > own contributions... > > Thanks in advance for your help. > > Wyatt > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Admins
If you reply to unrelated threads your message gets sorted with those in many mail clients... that means that some people won't see your message unless they're following that thread (in this case the Firewall Effects on Samba thread On Mon, 2002-10-07 at 10:04, Irving Carrion wrote: > Hello All!! > > We just recently upgraded our SAMBA server from 2.2.3a to > 2.999+3.0cvs20. Minor problems have aroused. One of which is "Domain > Admins". For some reason I (Domain Admin) don't have administrative > privileges on any PC on the network. What have I screwed up? > I'm pretty sure that the domain admins parameter is not working anymore... Instead you need to use the new smbgroupedit to map a unix group to the domain admins group good luck brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
I've read man smbgroupedit many times, over and over and OVER, and have done step by step per the man page with no luck. I thought maybe it would be easier for one to help if they saw what I was doing. So I posted a partial listing of group,passwd,smb.conf below. Plz, plz, really need some help with this! Thanks! IRV I have Samba Version 2.999+3.0.alpha from the debian unstable archives. //BEGIN /ETC/GROUP domainadmins:x:1001:administrator,user1,user2 //END /ETC/GROUP //BEGIN /ETC/PASSWD administrator:x:1218:1001:Administrator,,,:/home/administrator:/bin/bash user1:x:1219:1001:User 1,,,:/home/user1:/bin/bash user2:x:1220:1001:User 2,,,:/home/user2:/bin/bash //END /ETC/PASSWD HERE IS THE OUTPUT of "smbgroupedit -vs | grep "Domain Admins"" Domain Admins (S-1-5-21-2879687004-3117605197-2714178016-512) -> domainadmins //BEGIN SMB.CONF # Global parameters [global] workgroup = DOMAIN1.COM netbios name = SAMBA server string = %h server (Samba %v) security = user encrypt passwords = true passdb backend = tdbsam:/etc/samba/passdb.tdb unixsam null passwords = Yes passwd program = /usr/bin/passwd %u non unix account range = 1-2 add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 admin users = @domainadmins add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u logon script = logonscript.bat logon path = logon home = logon drive = domain logons = Yes os level = 64 preferred master = True domain master = True dns proxy = No wins support = Yes //END SMB.CONF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
On Mon, 2002-10-07 at 17:38, Irving Carrion wrote: > I've read man smbgroupedit many times, over and over and OVER, and have > done step by step per the man page with no luck. I thought maybe it > would be easier for one to help if they saw what I was doing. So I > posted a partial listing of group,passwd,smb.conf below. > > Plz, plz, really need some help with this! > > Thanks! > IRV > > > I have Samba Version 2.999+3.0.alpha from the debian unstable archives. > > > //BEGIN /ETC/GROUP > domainadmins:x:1001:administrator,user1,user2 > //END /ETC/GROUP > > //BEGIN /ETC/PASSWD > administrator:x:1218:1001:Administrator,,,:/home/administrator:/bin/bash > > user1:x:1219:1001:User 1,,,:/home/user1:/bin/bash > user2:x:1220:1001:User 2,,,:/home/user2:/bin/bash > //END /ETC/PASSWD > > HERE IS THE OUTPUT of "smbgroupedit -vs | grep "Domain Admins"" > Domain Admins (S-1-5-21-2879687004-3117605197-2714178016-512) -> > domainadmins > > > did you make your domain admins a domain group with -td? just run smbgroupedit -td to see the domain groups... > admin users = @domainadmins have you tried without this line? how are you assessing whether this is working or not? i consider the mapping to work if i can specify one of my domain groups as a part of a local group and the rsop tool says that a member of that group has the appropriate permissions... i'm not using domain admins - do you maybe need to add it the local admins group? brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Here is the output of smbgroupedit -td NT group (SID) -> Unix group Domain Guests (S-1-5-21-2879687004-3117605197-2714178016-514) -> -1 domainadmins (S-1-5-21-2879687004-3117605197-2714178016-3003) -> domainadmins I just rem'd out (admin users = @domainadmins) with no luck. Do you have any other suggestions? -Original Message- From: Bradley W. Langhorst [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 5:53 PM To: Irving Carrion Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Domain Admins On Mon, 2002-10-07 at 17:38, Irving Carrion wrote: > I've read man smbgroupedit many times, over and over and OVER, and have > done step by step per the man page with no luck. I thought maybe it > would be easier for one to help if they saw what I was doing. So I > posted a partial listing of group,passwd,smb.conf below. > > Plz, plz, really need some help with this! > > Thanks! > IRV > > > I have Samba Version 2.999+3.0.alpha from the debian unstable archives. > > > //BEGIN /ETC/GROUP > domainadmins:x:1001:administrator,user1,user2 > //END /ETC/GROUP > > //BEGIN /ETC/PASSWD > administrator:x:1218:1001:Administrator,,,:/home/administrator:/bin/bash > > user1:x:1219:1001:User 1,,,:/home/user1:/bin/bash > user2:x:1220:1001:User 2,,,:/home/user2:/bin/bash > //END /ETC/PASSWD > > HERE IS THE OUTPUT of "smbgroupedit -vs | grep "Domain Admins"" > Domain Admins (S-1-5-21-2879687004-3117605197-2714178016-512) -> > domainadmins > > > did you make your domain admins a domain group with -td? just run smbgroupedit -td to see the domain groups... > admin users = @domainadmins have you tried without this line? how are you assessing whether this is working or not? i consider the mapping to work if i can specify one of my domain groups as a part of a local group and the rsop tool says that a member of that group has the appropriate permissions... i'm not using domain admins - do you maybe need to add it the local admins group? brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
On Mon, 2002-10-07 at 17:59, Irving Carrion wrote: > Here is the output of smbgroupedit -td > > NT group (SID) -> Unix group > Domain Guests (S-1-5-21-2879687004-3117605197-2714178016-514) -> -1 > domainadmins (S-1-5-21-2879687004-3117605197-2714178016-3003) -> > domainadmins > > I just rem'd out (admin users = @domainadmins) with no luck. > > Do you have any other suggestions? > > how are you assessing whether this is working or not? > i consider the mapping to work if i can specify > one of my domain groups as a part of a local group and > the rsop tool says that a member of that group has the appropriate > permissions.. everything you've shown looks good to me - how do you know if it is working or not? brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Bradley W. Lanhorst wrote, > > how are you assessing whether this is working or not? > i consider the mapping to work if i can specify > one of my domain groups as a part of a local group and > the rsop tool says that a member of that group has the appropriate > permissions.. > everything you've shown looks good to me - how do you know if it is > working or not? Brad Brad, when I was running an NT network or Samba Version 2.2.3a it worked fine. That is to say all domain admins where able to log in as admin to all pc's who where members of the domain. Now, I can go to each PC and specify that user1 be local admin, but something tells me there is another way. For example, if lets say I install a new pc with Win2k pro and then join it to the domain. Now I log in as a domain admin. When I perform a Windows Update, it says that only administrators can update the pc. So, why is it that this PC does not know I am a domain admin. Sorry but what is rsop tool? Thanks for your help...really appreciate it! IRV -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
On Tue, 2002-10-08 at 09:30, Irving Carrion wrote: > Bradley W. Lanhorst wrote, > > > > how are you assessing whether this is working or not? > > i consider the mapping to work if i can specify > > one of my domain groups as a part of a local group and > > the rsop tool says that a member of that group has the appropriate > > permissions.. > > > everything you've shown looks good to me - how do you know if it > is > > working or not? > > Brad > > Brad, when I was running an NT network or Samba Version 2.2.3a it worked > fine. That is to say all domain admins where able to log in as admin to > all pc's who where members of the domain. Now, I can go to each PC and > specify that user1 be local admin, but something tells me there is > another way. > > For example, if lets say I install a new pc with Win2k pro and then join > it to the domain. Now I log in as a domain admin. When I perform a > Windows Update, it says that only administrators can update the pc. So, > why is it that this PC does not know I am a domain admin. I think you should take a look in the user manager for domains and add your new Domain Admins group to the Local Admins group... IIRC Domain Admins have, by default, permissions to modify domain settings like group membership etc but not local administrative rights like running windows update. I could be wrong about this though. > Sorry but what is rsop tool? rsop stands for resultant set of policy. It's a microsoft tool to tell you what the effective permission an object has relative to a particular user or group. I don't have NT or 2k (just XP) so I don't know if it is available for them. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Bradley W. Lanhorst wrote, > I think you should take a look in the user manager for domains and > add your new Domain Admins group to the Local Admins group... How shall I run User manager for domains without an NT box. I only have 1 domain controller. > IIRC Domain Admins have, by default, permissions to modify domain > settings like group membership etc but not local administrative rights > like running windows update. > I could be wrong about this though. I don't think so, as I'm sure it worked before on the old NT network I used to have and on Samba V. 2.2.3a. Anyway, Thanks for the Help! IRV -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
On Tue, 2002-10-08 at 10:25, Irving Carrion wrote: > Bradley W. Lanhorst wrote, > > I think you should take a look in the user manager for domains and > > add your new Domain Admins group to the Local Admins group... > > How shall I run User manager for domains without an NT box. I only have > 1 domain controller. you can run it on a client... you may not need the "for domains" bit on xp you don't brad > > > IIRC Domain Admins have, by default, permissions to modify domain > > settings like group membership etc but not local administrative rights > > like running windows update. > > I could be wrong about this though. > > I don't think so, as I'm sure it worked before on the old NT network I > used to have and on Samba V. 2.2.3a. I can't explain that - maybe somebody else who knows can chime in... I don't think it makes sense for a Domain Admin to automatically have Local adminstrative rights... Maybe there was something special about the domain admin mapping in samba2 brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Bradley W. Langhorst wrote, > I can't explain that - maybe somebody else who knows can chime in... > I don't think it makes sense for a Domain Admin to automatically have > Local adminstrative rights... brad This is what I read from: " Mastering Windows NT Server 4 6th Edition" page 375 "By default, the built-in Domain Admins global group is a member of both the domain's Administrators local group and the Administrators local groups for every NT workstation in the domain." So, I wonder if this has been removed in the new version of SAMBA or if it no longer does this by default? Anyone know anything about this? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Admins
Update: When I run smbgroupedit –l the “Domain Admins” group shows the following: Domain Admins SID : S-1-5-21-2879687004-3117605197-2714178016-512 Unix group: domainadmins Group type: Unknown type Comment : Privilege : SaAddUsers SeMachineAccountPrivilege SaPrintOp Why is “Group type” listed as “Unknown type”. Could this be the source of my problem? Any help much appreciated! IRV -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Irving Carrion Sent: Friday, October 11, 2002 12:41 PM To: [EMAIL PROTECTED] Subject: [Samba] Domain Admins Hello All! I’m trying to troubleshoot a domain admin problem and I’m stuck at a log error msg. The log says the following: get_domain_user_groups: primary gid of user [root] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that My goal is so that anyone in the “Domain Admins” group (by default) have administrative access to all member pcs of the domain. Currently, the pc’s don’t recognize any of the domain admins I’ve set according to man smbgroupedit. Anyone out there have a clue. Mucho Thanks! IRV FYI: My version of Samba is 2.999+3.0.alpha20-2
Re: [Samba] domain admins, and workstation software install permissions
On Thu, May 30, 2002 at 02:40:14AM -0400, lists wrote: > Hello - > > 1) Can I set up a group whose members are automatically able to install > software on all workstations in the samba domain? Yes (see 'domain admin group') > 2) Does domain admins group confer to its members file access to all samba > shares? No (see 'admin users') Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
