On 09/05/2012 21:51, Gaiseric Vandal wrote:
For ldap, as long as "getent passwd" shows your user and computer
accounts, that is what really matters.
Is samba is looking for users in your ldap base (e.g.
dc=univ-orleans,dc=fr) ? If so it will see all users. However it
will not distinguish between users in ou=people or ou =systeme. Any
users you wish to have administrator privledges should be added to the
"Domain Admins" group.
Verify that you have a group mapping for domain admins.
# net groupmap list | grep "Domain Admins"
Domain Admins (S-1-5-21-XXX-XXX-XXX-512 ) -> Domain Admins
I have a unix group in ldap called "Domain Admins" - my unix system
allows groups with spaces in it. I don't know if yours will.
Verify with
net rpc group MEMBERS "Domain Admins" -U Administrator
However, even if you are a system administrator, you should not
normally be logged in as an admin-equivalent. Instead, you should
only use an admin-equivalent account when you specifically need it.
If you wish to allow some users to add machines to the domain but not
give them full admin privlegdes you should be able to grant the
SeMachineAccountPrivilege right.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
I don't understand the "admin99" issue. You have a samba user called
"admin99", and you use that to join a Windows machine to the
domain? Where are you opening a terminal from? What does
"pbdedit -Lv admin99" show?
Hi back, sorry, very long week-end and other problem, but now i can answer.
It's very stragne that with the command :
$ net groupmap list | grep "Domain Admins"
i've got every group in ou=groups are in Domain admin ( don't really
know how hte previous people does this, it means that every one is a
Domain admin ? how can i change this ?
I need only that people in ou=systeme are Domain Admins.
i don't have a unix group in ldap called "Domain Admins", but there is
an ou=systeme where are all my admins. (admin99, admin41 etc ... )
I've configure libnss-ldap and libpam-ldap to configure authentification
between ldap and samba.
I reference my URI of the ldap, the DN , and choose Unix
authentication and LDAP authentication. ( with crypted md5) and i change
my /etc/nsswitch.conf from :
passwd: compat to
passwd: files ldap
group: compat
group: files ldap
shadow: compat
shadow: files ldap
did i need to change anything else ? or am i wrong ?
i've configure smb-ldap-tools and configured sabldap_bind.conf file ( dn
and password ) and smbldap.conf ( SID, sambadomain, masterldap, , did i
really need this because i don't use ( in my case smb-ldap-populate )
i think i miss something :s
i have all my users from my ldap with getent passwd
For the "admin99" issue : when i use libpam, libnss and ldap (start) ,
and i try to join the domain to a windows host, when asking login mdp i
try : admin45 and password, it says "welcome to the domain etc ..", reboot.
But in the server, if i use a new terminal, root's name change to
admin41. if i stop ldap for 5 minutes, it change to root
Where are you opening a terminal from? from the server
What does "pbdedit -Lv admin99" show? i don't have the pbdedit command
thanks
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
