[Samba] Re: What makes an account is DOMAIN ADMINISTRATOR?

Fri, 25 Jul 2003 03:47:57 -0700

Beast wrote:
Friday, July 25, 2003, 3:58:57 PM, Beast wrote:


Friday, July 25, 2003, 2:58:54 PM, Alex wrote:


Look into the command 'net groupmap', here is where it lies. 


for example net groupmap add unixgroup=domainadmins ntgroup="Domain Admins"
type=domain



this will �map your local group domainadmins to Domain Admins, so that
windows understands it.
If you already have groupmaps set up but no groups map to them use net
groupmap modify.



This is my initial map from fresh install :
[EMAIL PROTECTED] root]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1



I have root user in smbpasswd and not put his group to
"Administrators" or "Domain Admins" but why it able to add machine
trust from Win2k client? any explanation?


Tks.


Another problem :(

I create ordinary unix user, put in smbadmin unix group.

smbadmin:x:999:beast

I create machine trust account (in unix and smbpasswd)
  [EMAIL PROTECTED] root]# pdbedit -L
  beast:500:
  trg02$:501:

I map "smbadmin" to "Domain Admins" ntgroup :

Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> smbadmin

From Win2000, I can not joint this client to domain with user "beast", it says : Login 
failure: unknown username or bad password.
(FYI, I can login using beast on Win98 client, so no pb in
username/password)

So, what is exactly requirement for Domain admins?????

hi all,

sorry that I can't help. I'd love to see a decent explanation here.
From my experiments I can say that only a user with UID=0 can create machine trust accounts (i.e. add a client to the domain), is that correct?

Another question is, are there any benefits having the builtin groups setup on the DC with mapping to the "well known SIDs"?

I use LDAP as a backend and if my assumtions are correct, that would mean it is not possible to have one LDAP SAM for multiple samba server, because having a user in LDAP with uid=0 would conflict with the local root accounts.

greetings
    Paul






--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to