Re: [Samba] Clarification of 'administrator' config w/ldap
no. the correct way to join a computer to the machine account is to either use the username root when you type in the domain on computer name properties, or a user who is in the ntadmins group that has SEMachineAccountPrivilege jeff sacksteder wrote: run smbpasswd -a root and put in root's password. So on a client machine, I can now authenticate with 'root' and the appropriate passwd, but shouldn't the smbusers mapping cause administrator to work the same way? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
> run smbpasswd -a root and put in root's password. So on a client machine, I can now authenticate with 'root' and the appropriate passwd, but shouldn't the smbusers mapping cause administrator to work the same way? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
> run smbpasswd -a root and put in root's password. Leaving aside for the moment granting privileges to user accounts, I did the above. I set log level =3 and recorded the following(somewhat anonymized). Again, root is a normal unix account, I have mappings to administrator and MYDOMAIN\administrator in smb users. All other accounts are in LDAP. [2009/04/21 21:31:51, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [mydomain]\[administrat...@[dell] with the new password interface [2009/04/21 21:31:51, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [mydomain]\[administrat...@[dell] [2009/04/21 21:31:51, 3] auth/auth_sam.c:check_sam_security(281) check_sam_security: Couldn't find user 'administrator' in passdb. [2009/04/21 21:31:51, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM. [2009/04/21 21:31:51, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2009/04/21 21:31:51, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE > > jeff sacksteder wrote: >> >> As you say, I see 'root = administrator' in smbuser, but I am still >> unable to authenticate as administrator. During the authentication >> attempt the following log entry is recorded- >> >> check_ntlm_password: Authentication for user [administrator] -> >> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER >> >> I believe that I need to use make an entry with pdbedit linking the >> domain admin sid to root. >> However, trying that produces- >> >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] >> smbldap_open_connection: connection opened >> Username not found! >> >> So what more do I need to add? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
run smbpasswd -a root and put in root's password. create a unix group called ntadmins and put your username jsacksteder in it. then run: net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=ntadmins type=d then run: net rpc rights grant ntadmins SEMachineAccountPrivilege and enter root's password. now the user jsacksteder is a domain administrator that can join computers to the domain (And vista will recognize as an administrator when you install software and UAC prompts for a user/pass. jeff sacksteder wrote: As you say, I see 'root = administrator' in smbuser, but I am still unable to authenticate as administrator. During the authentication attempt the following log entry is recorded- check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER I believe that I need to use make an entry with pdbedit linking the domain admin sid to root. However, trying that produces- smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened Username not found! So what more do I need to add? On Sat, Apr 4, 2009 at 10:15 AM, Adam Williams wrote: root is mapped to windows Administrator account in /etc/samba/smbusers. however, since samba 3.0.11 you can make anyone a domain administrator (to add machine accounts, install software, etc) see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for more info. jeff sacksteder wrote: I have a mostly working config with the ldap backend, at least from the standpoint of standard domain users, but I'm not sure how my Administrator user needs to be configured. The os 'root' user is in /etc/passwd and all my normal users are in the directory for unified login purposes. Is the domain 'Administrator' account supposed to correspond to 'root' in the os, 'Manager' in the directory, or a just a privileged user in the directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
On Mon, 2009-04-20 at 00:03 -0400, jeff sacksteder wrote: > As you say, I see 'root = administrator' in smbuser, but I am still > unable to authenticate as administrator. During the authentication > attempt the following log entry is recorded- > > check_ntlm_password: Authentication for user [administrator] -> > [administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > I believe that I need to use make an entry with pdbedit linking the > domain admin sid to root. > However, trying that produces- > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] > smbldap_open_connection: connection opened > Username not found! > > So what more do I need to add? > > On Sat, Apr 4, 2009 at 10:15 AM, Adam Williams > wrote: > > root is mapped to windows Administrator account in /etc/samba/smbusers. > > however, since samba 3.0.11 you can make anyone a domain administrator (to > > add machine accounts, install software, etc) see > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for > > more info. > > > > jeff sacksteder wrote: > >> > >> I have a mostly working config with the ldap backend, at least from > >> the standpoint of standard domain users, but I'm not sure how my > >> Administrator user needs to be configured. The os 'root' user is in > >> /etc/passwd and all my normal users are in the directory for unified > >> login purposes. Is the domain 'Administrator' account supposed to > >> correspond to 'root' in the os, 'Manager' in the directory, or a just > >> a privileged user in the directory? > >> > > Depending upon your setup, you may need to add an additional entry into smbusers that includes the domain name (e.g. root = administrator DOMAIN_NAME\administrator ANOTHER_DOMAIN_NAME\some_guy) Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
As you say, I see 'root = administrator' in smbuser, but I am still unable to authenticate as administrator. During the authentication attempt the following log entry is recorded- check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER I believe that I need to use make an entry with pdbedit linking the domain admin sid to root. However, trying that produces- smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened Username not found! So what more do I need to add? On Sat, Apr 4, 2009 at 10:15 AM, Adam Williams wrote: > root is mapped to windows Administrator account in /etc/samba/smbusers. > however, since samba 3.0.11 you can make anyone a domain administrator (to > add machine accounts, install software, etc) see > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for > more info. > > jeff sacksteder wrote: >> >> I have a mostly working config with the ldap backend, at least from >> the standpoint of standard domain users, but I'm not sure how my >> Administrator user needs to be configured. The os 'root' user is in >> /etc/passwd and all my normal users are in the directory for unified >> login purposes. Is the domain 'Administrator' account supposed to >> correspond to 'root' in the os, 'Manager' in the directory, or a just >> a privileged user in the directory? >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
root is mapped to windows Administrator account in /etc/samba/smbusers. however, since samba 3.0.11 you can make anyone a domain administrator (to add machine accounts, install software, etc) see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for more info. jeff sacksteder wrote: I have a mostly working config with the ldap backend, at least from the standpoint of standard domain users, but I'm not sure how my Administrator user needs to be configured. The os 'root' user is in /etc/passwd and all my normal users are in the directory for unified login purposes. Is the domain 'Administrator' account supposed to correspond to 'root' in the os, 'Manager' in the directory, or a just a privileged user in the directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba