On Tuesday 09 Mar 2004 12:13 pm, Jonathan Baker-Bates TMS wrote: > > | I'm trying to work out how I can create domain administrators with > > > > Samba 3. > > > > | I currently have the following in smb.conf > > | > > | domain admin group = @smbadmins > > | domain admin users = root jbb > > > > You are wrong in Samba3 there is a complete group mapping posibility, > > not just the possibility of mapping domain admins, like in 2.2.x. > > So: > > first) Remove that two lines from your smb.conf > > second) Depending on your passdb backend, there could be two cases: > > A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In > > this case samba populates its database with all the entries found on a > > Windows DC, you could see them with net groupmap list. You can (you need > > to do) modify this default group mappings with net groupmap modify > > ntgroup=... unixgroup=... > > B) passdb backend =ldapsam you need to add all the groupmaping by hand > > with net groupmap add sid=... unixgroup=... Remember: Domain Admins > > SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests > > SID=Domain SID-514 > > > > Good Luck, and have a pleasant experience with Samba3, it is realy a big > > improvment since the 2.2 line, in many areas. > > Ah, thanks for putting me on the right track - I'm using smbpasswd (we've > only got about 10 users), and the Samba server *is* the DC, but I've found > some docs on the samba site so I'm reading them now :-) > > However, I still can't get my user "jbb" to be a domain admin. I'm mapping > the "smbadmins" group to the NT "Domain Admins" entity like this: > > net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins > > and it says it created the mapping successfully, but when I log onto the > domain with that account, it doesn't have admin rights. I can see the > mapping with: > > # net groupmap list ntgroup="Domain Admins" > Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) -> smbadmins > > and in /etc/group I have smbadmins:x:1004:jbb > > I'm not sure what I'm doing wrong.
you need to use net groupmap modify rather than net groupmap add. the domain admins group should have an SID (the S- number) ending in 512 if it is the real "Domain Admins" group. delete the mapping you put in and then repeat the net groupmap command but use: net groupmap modify ntgroup="Domain Admins" unixgroup=smbadmins Then when you do net groupmap list you should get: Domain Admins (S-1-5-21-3040818230-2349230895-2714603090-512) -> smbadmins and it should work you also need to "modify" groups such as Domain Users, Domain Guests, Backup Operators etc. edd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
