-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Sorry for having to say that, but you have messed up your group mapping (you have multiple Domain Admins and other groups, with different sids and the same name! this would confuse your Windows clients). Using tdbsam backend Samba already populates its group database with all the groups which exists by default on a Windows PDC and thus you just need to map them to existing UNIX groups with net groupmap modify. What i would suggest is to remove your group mapping tdb, and restart samba, and it would recreate it, and try out net groupmap modify
Cheers,
Geza | Firstly I apologise for the length of this query but I am hoping that if I | document everything I did someone might respond / be able to help. | | My Configuration is Samba 3.0.2a as a PDC on Redhat 8. I cannot for the | life of me get the "Domain Admins" functionality to work | | I am hoping that another set of eyes can shed some light on this problem | as I have now spent 41 hrs googling / reading samba docs / configuring | samba and linux. | | | I am using the tdbsam backend | | [global] | ---snip---- | domain master = yes | local master = yes | preferred master = yes | domain logons = yes | passdb backend = tdbsam | ---snip---- | | I have the following unix groups: | | GrpName GID | ======== ==== | ntadmins 702 | users 100 | mikey 700 | administrator 703 | | I have the following users: | | UsrName GID Primary Group Groups | ======== ==== ============ ======================= | mikey 600 ntadmins users,root,mikey | administrator 603 ntadmins users,root,admnistrator | | I have used Pdbedit to add user 'mike' and 'administrator' to the trivial | database | | [EMAIL PROTECTED] root]# pdbedit -L -v -u mikey Unix username: mikey | NT username: | Account Flags: [U ] | User SID: S-1-5-21-4105664934-1074514724-3375437219-2200 | Primary Group SID: S-1-5-21-4105664934-1074514724-3375437219-1201 | Full Name: Mike Young | Home Directory: \\juan\mikey | HomeDir Drive: H: | Logon Script: logon.bat | Profile Path: \\juan\profiles\mikey\0.0.0.0 | Domain: E-MAGE | ---snip---- | | [EMAIL PROTECTED] root]# pdbedit -L -v -u administrator Unix username: | administrator | NT username: | Account Flags: [U ] | User SID: S-1-5-21-4105664934-1074514724-3375437219-2206 | Primary Group SID: S-1-5-21-4105664934-1074514724-3375437219-702 | Full Name: wrkgrp domain administrator | Home Directory: \\juan\administrator | HomeDir Drive: H: | Logon Script: logon.bat | Profile Path: \\juan\profiles\administrator\0.0.0.0 | Domain: E-MAGE | ---snip---- | | I have used net groupmap to add the unix groups | 'USERS','NOBODY','NTADMINS' | | net groupmap add unixgroup=nobody ntgroup="Domain Guests" net groupmap add | unixgroup=ntadmins ntgroup="Domain Admins" net groupmap add | unixgroup=users ntgroup="Domain Users" | | I have used net groupmap to MAP the unix groups | 'USERS','NOBODY','NTADMINS' to the NT groups | | net groupmap modify ntgroup="Domain Guests" UNIXgroup=nobody net groupmap | modify ntgroup="Domain Admins" UNIXgroup=nobody net groupmap modify | ntgroup="Domain Users" UNIXgroup=nobody | | When I do a net groupmap list I get:- [EMAIL PROTECTED] root]# net groupmap list | System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 | Guests (S-1-5-32-546) -> -1 | Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-2405) -> ntadmins | Domain Users (S-1-5-21-4105664934-1074514724-3375437219-1201) -> users | Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-1199) -> nobody | Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-512) -> ntadmins | Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-514) -> nobody | Domain Users (S-1-5-21-1097365102-1206842487-1930028900-513) -> users | Power Users (S-1-5-32-547) -> -1 | Print Operators (S-1-5-32-550) -> -1 | Domain Admins (S-1-5-21-50666885-4256340010-4152097897-702) -> ntadmins | Administrators (S-1-5-32-544) -> -1 | Account Operators (S-1-5-32-548) -> -1 Domain Admins | (S-1-5-21-50666885-4256340010-4152097897-512) -> -1 Domain Admins | (S-1-5-21-1097365102-1206842487-1930028900-512) -> -1 Backup Operators | (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 | Domain Guests (S-1-5-21-1097365102-1206842487-1930028900-514) -> -1 Domain | Users (S-1-5-21-4105664934-1074514724-3375437219-513) -> -1 | | I then created the appropriate machine accounts through unix | | I then log on to a win2k or XP workstation as a local administrator and | join the domain as user 'ROOT' and using the user management tool I add my | DomainName\Domain Admins group to the local administrators group. | | I then re-logon to the win2k or XP workstation as the domain user either | (mike or administrator. These both logon successfuly but are NOT Domain | Admins or Administrators of the workstation -Why? | | | |
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFARtT0/PxuIn+i1pIRApheAKCHQhz+2m9tgUxVOgRlJwrKpQkshACeKphM /OymBgG8fBEpe2qrjwsiDPI= =3RHU -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
