Okay, I did all the below successfully. I actually had the old SID from the other PDC MACHINE.SID and net setlocalsid S-1-fdsfsd - so didn't modify the NTUSER.DAT files
Still no luck with the admin rights. It will log into the domain and can see the domain groups and I can add them to local groups. It even uses the netlogon scripts. Do you need more info? I think we are close though. Andy -----Original Message----- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:42 PM To: Andrew Judge Cc: [EMAIL PROTECTED] Subject: Re: [Samba] net groupmap / domain admins problem - Amazon prize 1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows: net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Guests" unixgroup=nobody Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg: groupadd engineers net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d groupadd ntadmins net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d PS: If you have a problem with these commands email me, I'll help you. 5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this: root:0::jht,jimbo,jack,jill 6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this: ntadmins:123::maryo,susant,billm 7. Verify that the groups are correctly mapped: net groupmap list. 8. Now: On every windows client machine add: a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group > > Now... I migrated from 2.2.3a to the above and I have all the tdb and I > cahnged the SID to the last PDC. Anyway, how would I get the right SID? I > have NTUSER.DAT files that I can run profiles against to read them. Would > that help? You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files. To obtain the domain SID just run: net getlocalsid > > First one that can point me in the right direction to get this resolved - > I'll buy them a amazon gift cert for $50. Beats going bald from pulling out > my hair. It's a deal man! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
