----- Original Message ----- From: "G�mes G�za" <[EMAIL PROTECTED]> To: "Jonathan Baker-Bates TMS" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, March 08, 2004 6:25 PM Subject: Re: [Samba] Samba 3 - domain admins (not root)?
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jonathan Baker-Bates TMS �rta: > | I'm trying to work out how I can create domain administrators with > Samba 3. > | > | I currently have the following in smb.conf > | > | domain admin group = @smbadmins > | domain admin users = root jbb > > You are wrong in Samba3 there is a complete group mapping posibility, > not just the possibility of mapping domain admins, like in 2.2.x. > So: > first) Remove that two lines from your smb.conf > second) Depending on your passdb backend, there could be two cases: > A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In > this case samba populates its database with all the entries found on a > Windows DC, you could see them with net groupmap list. You can (you need > to do) modify this default group mappings with net groupmap modify > ntgroup=... unixgroup=... > B) passdb backend =ldapsam you need to add all the groupmaping by hand > with net groupmap add sid=... unixgroup=... Remember: Domain Admins > SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests > SID=Domain SID-514 > > Good Luck, and have a pleasant experience with Samba3, it is realy a big > improvment since the 2.2 line, in many areas. Ah, thanks for putting me on the right track - I'm using smbpasswd (we've only got about 10 users), and the Samba server *is* the DC, but I've found some docs on the samba site so I'm reading them now :-) However, I still can't get my user "jbb" to be a domain admin. I'm mapping the "smbadmins" group to the NT "Domain Admins" entity like this: net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins and it says it created the mapping successfully, but when I log onto the domain with that account, it doesn't have admin rights. I can see the mapping with: # net groupmap list ntgroup="Domain Admins" Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) -> smbadmins and in /etc/group I have smbadmins:x:1004:jbb I'm not sure what I'm doing wrong. Jonathan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
