On 07/17/13 16:12, Donny Brooks wrote:
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote:
On 07/17/13 15:02, Donny Brooks wrote:
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote:
On 07/17/13 14:32, Donny Brooks wrote:
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote:
According to the net man page
In order for Samba to be joined or unjoined remotely an account
must be
used that is either member of the Domain Admins group, a member
of the
local Administrators group or a user that is granted the
SeMachineAccountPrivilege privilege.
The simplest thing is probably to have the Domain IT group be a member
of the local admin group on each machine. I don't know if you would
need to grant them the SeMachineAccountPrivilege.
On 07/17/13 09:44, Donny Brooks wrote:
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld <sa...@marc-muehlfeld.de> wrote:
Hello Donny,
Am 12.07.2013 21:34, schrieb Donny Brooks:
On the old domain, which was setup before I got here,
> our IT section was in an ldap group that allowed us to
> join PC's to the domain ...
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions
> ... and when the prompt came up in windows to
> install software we could log in as ourselves.
What do you mean by this? Do you want to have a group of users
automatically in the "administrator" group on your workstations?
http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s
If you mean something else, please give some more details.
Regards,
Marc
Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
And map our itgroup to the Domain Admins group. Although we do have a Domain
Admins group in ldap. Should that cause an issue?
Group mapping is to make sure Windows groups map to the correct unix
group. This is not like mapping a Windows user name to a different
unix user name (e.g Windows Administrator = Unix root.)
With LDAP, group mapping is usually simpler since the LDAP object for a
group usually has the Samba SID and the unix group id. The "net
groupmap list" command is useful for validating this. You want to make
sure that you do see group mapping for "Domain Admins" and "Domain
Users" and other well known groups. You are more likely to have to use
the "net groupmap add" command when you don't have LDAP.
Well known groups have to specific relative ID's. The domain admin
group HAS to have a relative ID of 512 in the SID. You have to make
sure the Administrator is in the group. That behavior changes with
versions newer than 3.0.x
#net groupmap list
....
Domain Admins (S-1-5-21-xxxx-xxxxx-xxxxx-512) -> Domain Admins
...
# getent group "Domain Admins"
Domain Admins::512:Administrator
#
I don't think you have a samba issue. I think you have a general
"windows" issue about the most practical way to provide IT group with
sufficient privileges to manage computers with out giving too much access.
Depending on the size of your IT department, and the necessity to
audit/control you makes what change, each IT user may need two accounts,
one that is a regular account and one that is a member of the domain
admins and local admins group. (e.g. donny and donny_admin.) this
way they can do whatever they need, but they don't run as admin for
routine tasks, and you can track who made what change (if need be) or
limit who has full admin rights.
It is correctly mapped and is 512. Nothing changed on the windows side during
the domain change other than removing the machines from the old domain and
rejoining them to the new one. We don't have to have the accounting trail that
two accounts would give us right now. I just want to be able to tell my other
people they can join computers to the domain and perform software upgrades with
their own credentials.
OK
I am looking at your original post again. I don't think you said
which version you had been using.
net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S
enterprise -U superusername
Is the superuser name the domain Administrator account? The problem
seems to involve the superusername user, not the Domain Admins
group. I think with older version of samba, the Administrator
account was implicit, and you could map the windows Administrator to
the unix root account and all was OK. With the current version I think
you need you create an Administrator samba user (it doesn't have to be
called Administrator but I would do that just to keep things simple) and
add that user to the Domain Admins group.
Does "pdbedit -Lv Administrator" or "pbedit -Lv superusername" work?
You could add the user IT users to the domain admins group. Then you
have all the privileges you need. You should NOT need to grant
SeMachineAccountPrivilege to the Domain Admins group.
Can you post a sanitized version of the Domain Admin group LDIF?
Yes the "pdbedit -Lv root" returns properly. The super user name is root as that is how it was setup by the guy we contracted to do it. I have added myself to the Domain Admins group but still unable to join a pc to the domain or install software. Here is the Domain Admins LDIF:
# Entry 1: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us
dn: cn=Domain Admins,ou=Groups,dc=mdah,dc=state,dc=ms,dc=us
cn: Domain Admins
description: Domain Administrators
displayname: Domain Admins
gidnumber: 512
memberuid: root
memberuid: dbrooks
memberuid: jomiles
objectclass: posixGroup
objectclass: sambaGroupMapping
sambagrouptype: 2
sambasid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-512
That is how my Domain Admin is set up in LDAP as well.
You might want to try
net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S
enterprise -U MDAH\\root
And, although I don't see how in theory it really should matter you
might want to create a user actually called "Administrator" who is in
the Domain Admins group AND has Domain Admins as the default group.
The online samba documentation is a little out of date but suggests that
you should not have grant rights for Domain Admins anyway. (I think I
had done this anyway when I moved to 3.4.x from 3.0.x)
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.htm
If you log into a Windows domain member machine as MDAH/root, can you
do local admin things? E.g. create local users ? When I upgraded
from 3.0.x to 3.4.x somehow I lost my group mappings and didn't recreate
them properly (I got the gid's reversed between two groups.) I found
that the domain administrator lost all the local admin rights on member
windows machines. Setting Se* rights didn't help. I then finally found
that I had screwed up the groups. The long and short being I think you
have a groups issue not a Se rights issue.
What does the following show?
# net rpc user info root -U MDAH\\root
# net rpc group members "Domain Admins" -U MDAH\\root
It might flush out some issues.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
