-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
edd payne �rta: | On Tuesday 09 Mar 2004 12:13 pm, Jonathan Baker-Bates TMS wrote: | | |>>| I'm trying to work out how I can create domain administrators with |>> |>>Samba 3. |>> |>>| I currently have the following in smb.conf |>>| |>>| domain admin group = @smbadmins |>>| domain admin users = root jbb |>> |>>You are wrong in Samba3 there is a complete group mapping posibility, |>>not just the possibility of mapping domain admins, like in 2.2.x. |>>So: |>>first) Remove that two lines from your smb.conf |>>second) Depending on your passdb backend, there could be two cases: |>>A) passdb backend = smbpasswd (default, if not specified) or tdbsam. In |>>this case samba populates its database with all the entries found on a |>>Windows DC, you could see them with net groupmap list. You can (you need |>>to do) modify this default group mappings with net groupmap modify |>>ntgroup=... unixgroup=... |>>B) passdb backend =ldapsam you need to add all the groupmaping by hand |>>with net groupmap add sid=... unixgroup=... Remember: Domain Admins |>>SID=Domain SID-512 Domain Users SID=Domain SID-513 Domain Guests |>>SID=Domain SID-514 |>> |>>Good Luck, and have a pleasant experience with Samba3, it is realy a big |>>improvment since the 2.2 line, in many areas. |> |>Ah, thanks for putting me on the right track - I'm using smbpasswd (we've |>only got about 10 users), and the Samba server *is* the DC, but I've found |>some docs on the samba site so I'm reading them now :-) |> |>However, I still can't get my user "jbb" to be a domain admin. I'm mapping |>the "smbadmins" group to the NT "Domain Admins" entity like this: |> |>net groupmap add ntgroup="Domain Admins" unixgroup=smbadmins |> |>and it says it created the mapping successfully, but when I log onto the |>domain with that account, it doesn't have admin rights. I can see the |>mapping with: |> |># net groupmap list ntgroup="Domain Admins" |>Domain Admins (S-1-5-21-3040818230-2349230895-2714690390-3009) -> smbadmins |> |>and in /etc/group I have smbadmins:x:1004:jbb |> |>I'm not sure what I'm doing wrong. | | | you need to use net groupmap modify rather than net groupmap add. the domain | admins group should have an SID (the S- number) ending in 512 if it is the | real "Domain Admins" group. delete the mapping you put in and then repeat the | net groupmap command but use: | | net groupmap modify ntgroup="Domain Admins" unixgroup=smbadmins | | Then when you do net groupmap list you should get: | | Domain Admins (S-1-5-21-3040818230-2349230895-2714603090-512) -> smbadmins | | and it should work | | you also need to "modify" groups such as Domain Users, Domain Guests, Backup | Operators etc. | | edd | Just as a completion I've cuted and pasted the most important parts of my test systems (the production one is using ldap and has just Domain Users, Domain Admins, Domain Guests, besides a lot of self created group mappings, like students->students, and alike net groupmap list's output:
System Operators (S-1-5-32-549) -> daemon looser (S-1-5-21-4109351342-2997801466-301355879-2007) -> looser Replicators (S-1-5-32-552) -> disk Guests (S-1-5-32-546) -> nogroup Power Users (S-1-5-32-547) -> wheel Domain Users (S-1-5-21-4109351342-2997801466-301355879-513) -> users Print Operators (S-1-5-32-550) -> lp Administrators (S-1-5-32-544) -> root Domain Admins (S-1-5-21-4109351342-2997801466-301355879-512) -> adm Domain Guests (S-1-5-21-4109351342-2997801466-301355879-514) -> nogroup Account Operators (S-1-5-32-548) -> adm Backup Operators (S-1-5-32-551) -> daemon Users (S-1-5-32-545) -> users
You can see, that there are two kind of groups: local groups with SID=S-1-5-32-groupRID and domain groups with SID=DOMAINSID-groupRID for having a correctly working Samba PDC you NEED to map the Domain groups to existing UNIX groups, whoose members will become then Domain Admins, Domain Users and Domain Guests, and whatever other groups you would want to add to the group mapping.
Cheers,
Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFATdCF/PxuIn+i1pIRAn5OAJ0bfwiBp9hXJdPAfbXB8MCs7cIBGwCgom9a lml2wZC0P+gs8rIyH1gDU9A= =JO23 -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
