Karel, Thanks for your feedback. I will certainly take this into account when I get time to update the HOWTO documentation.
Cheers, John T. On Mon, 16 Feb 2004, Karel Kulhavy wrote: > Hello > > I have been solving a problem how to make a nonroot user able to administer > the domain (add users, groups, modify them etc.) from Windows workstation > using usrmgr.exe > > It looks like what is stated in Samba HOWTO collection as prerequisites > is not enough. > > First I found Chapter 12 cxl "How to make Samba PDC users member of the Domain > Admins group" - made the nonroot user member of domadm group, added domadm > unix group and groupmapped Domain Admins NT group to domadm UNIX group. > > This didn't work. I suggest changing "steps describe how to make Samba PDC > users members of the Domain Admins" to "steps describe how to make Samba > PDC users members of the Domain Admins (note that this won't assure same > functionality as being a Domain Admin on an NT4 PDC, for further details, > see 12.2.1 Important Administrative Information (page cxli) (why the heck > was the numbering changed from Arabic to Roman numerals?)". > > Then I searched further for the term 'Admins' in the Samba HOWTO Collection pdf > and found 12.2.1 Important Administrative Information. It states among others: > "[...]adding users or groups, requires root level privilege.[...]Provision > of root privileges can be done [...] by permitting [...] users to use a UNIX > account that is a member of the UNIX group that has a GID=0 as the primary group in > the /etc/passwd database". > > So I made the non-root user's primary group root (GID=0) and it still didn't > work. I tried to restart samba. Still didn't work. Logout user from Windows > and login back. Still didn't work. Restart samba again. Still didn't work. > > -> Is there a place in the HOWTO that describes how to determine what sequence > of reboots, logouts, domain removal and reattachments and Samba restarts > is necessary to assure integrity of any given operation when dealing with Samba? > > Then I discovered another place in Samba HOWTO that contains example: > Section 31.2. Migration Options cdxv (why the heck were the Arabic numerals > replaced with Roman? Comparison of two Roman numeral takes about a minute > to me and decreases the speed of manual binary search for a given page by > several orders of magnitude) > > 5. Now assign each of the UNIX groups to NT groups: > [...] > # First assign well known domain global groups > net groupmap modify ntgroup="Domain Admins" unixgroup=root rid=512 > > This didn't work: > oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root > rid=512 > Bad option: rid=512 > However I got the idea behind the command and tried: > net groupmap modify ntgroup="Domain Admins" unixgroup=root > oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root > Updated mapping entry for Domain Admins > oberon root # net groupmap list > [...] > Domain Admins (S-1-5-21-3784068046-1792391053-1311982112-512) -> root > > Suggestion: replace > "net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root rid=512" > in the Samba HOWTO Collection with > "net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root" > > After that I reloaded Samba and tried the running usrmgr.exe: Invalid handle. > Exited the usrmgr.exe and restarted usrmgr.exe (without logout) and it -- > MIRACULOUSLY WORKED! > > Suggestion: replace "Users of such accounts can use tools like the NT4 Domain > User Management" with "Users of such accounts cannot still use tools like the > NT4 Domain User Management because having root as primary group is not enough. > However, if the Domain Admins group is in addition mapped to root group, this > task becomes possible" into chapter 12.2.1 Important Administrative Information > (page cxli) > > Cl< > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba