On Fri, 16 Jan 2004, Alexander Goeres wrote: > Hello everybody! > > New to Samba (and the list) I am trying to set up a Samba PDC for a small > enterprise network on a Debian Woody (3.0) system with a vanilla 2.4.24 > kernel and the Debian package of Samba 3.0.1 and Swat (Debian Versions > 3.0.1-2). > > I ran into various problems and could solve most of them during the past two > weeks (hooray!). Most of the problems were related to congestions of user and
Congratualtions. > program permissions. For example, it was impossible to change a user's > password with the NT4 usrmgr tool from the w2k client. That always gave a > "permission denied". Solution was: don't use the Debian tool "/usr/sbin/ > adduser" (obvioulsy a wrapper program to the standard "useradd")! Another > problem was, that Swat always wipes out variables that are written like "%u". > Obviously Swat deletes everything within "". Solution: don't use Swat (too > bad)! You are correct. That is one of the fine features of SWAT. > > One problem is left, and I don't know if it's related to M$ or to Samba. It's > impossible to create a user from a w2k client with the NT4 tool usrmgr.exe. I Not really. If your scripts (add user, add group, etc.) are correctly set up then you can use this tool to manage users and groups without problem. > can create a Samba user (Domain User) when such a user already exists on the > Samba server as a Linux user. AFAIK the setting "add user script" in smb.conf > should provide the facility to Samba to create a Linux user each time a > Samba/Domain user is created. Is that a misconception? You observation is the result of configuration problems. > > When looking at that NT4 tool usrmgr.exe, i find a menu item: > Policies -> User Rights -> Show Advanced Rights: Add users to the domain: > Samba > Trying to give that right to the Domain Admin group is denied with the > message: > "You may not remove the Local Logon right from the Administrators local group. > Doing so would disable .. bla bla ba". > This message even appears when I just open the usrmgr and click on "OK" > without having changed anything. You must be logged in a the Domain Administrator, and unfortunately I have discovered that there is no way around it, you must be logged on a the user called "root". > > So I have several questions and I hope that someone on the list here might be > able to answer or give some hints to a solution: > 1. Is it generally possible to add a completely new user to the domain through > this NT4 tool usrgmr.exe? A user who didn't exist as a unix-user on the samba > PDC and so didn't exist in ths Samba User database? Yes. It is possible. It does work. > 2. If yes (and I hope it's possible) how do I give this "Advanced Right" to > add a user to the Samba Domain to the Domain-Admin group? Do I have to do > this within Samba (pdbedit) or is it only possible within M$? You can make users a member of the Domain Admins group. At this time we do not support secondary group membership correctly. This means that only the user "root" can manage network accounts. > > Just some further config: > M$ Administrator is Member of NT Domain Admin group, of Samba admin group and > has UID 0 on the Linux system. Unfortunately, this breaks. You have to use "root". Duplicate accounts that share a UID break things badly. For example, having an account called "root" and one called "Administrator", both with UID=0, break winbind operation. > NT Domain Admin group is mapped to the Samba admin group. NT Domain Admins group needs to have GID=0. > > That mail is a little long but I hope the length doesn't discourage too many > people from reading it. Possibly someone knows answers? Even to my questions? Not at all. Thanks for sharing with us. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba