In article <[EMAIL PROTECTED]>, Trey Nolen wrote: >> Have you tried: >> >> net getlocalsid >> >> SID for domain DOMAIN is: >> S-1-5-21-3876029557-4061927837-2224609541, ie. the SIDs should match. >> >> If they don't: >> >> 1. Stop samba >> 2. Delete "group_mapping.tdb" >> 3. Start samba >> 4. net groupmap modify ntgroup="Domain Admins" unixgroup=domadm etc. >> >> This should make a fresh group_mapping.tdb with correct SIDs. >> > > > Thanks for the reply. Unfortunately (I guess), they do already match: > server:~# net groupmap list > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Domain Users (S-1-5-21-3876029557-4061927837-2224609541-513) -> users > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> domadm > Domain Admins (S-1-5-21-3876029557-4061927837-2224609541-512) -> domadm > Account Operators (S-1-5-32-548) -> -1 > Domain Guests (S-1-5-21-3876029557-4061927837-2224609541-514) -> nogroup > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > > server:~# net getlocalsid > SID for domain SERVER is: S-1-5-21-3876029557-4061927837-2224609541 > > > It seems like this *SHOULD* be working. Could this be a bug with this > version? I'll be glad to check anything else if there are other > suggestions... >
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1bKKG-3JE-47%40gated-at.bofh.it&rnum=1&prev=/groups%3Fq%3Dsamba%2Bdomain%2Badmins%2Bproblem%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch Bottom line: Stop samba, delete group_mapping.tdb *and* secrets.tdb, start samba. Make sure you have a backup of secrets.tdb, at least on production servers. The clients probably have to rejoin the domain after deleting secrets.tdb. It's also possible that the tdb-files are in different directories if you are trying out different versions/distributions of samba. XP-clients also cache the ten latest logins by default to add to the confusion... Other than that I have never had problems with the "Domain Admins"-stuff working on the client with any samba 3.0.x. I have, however, seen very strange behavior on mapped shares after samba 3.0.2 when login on with a "Domain Admins" user on XP. I can map the share, but get "access denied" errors when trying to browse or doing "h:" on the command line. Removing the user from the "domadm" group solves this. Latest setup on the test server: Compiled and installed the samba-latest.tar.gz (samba-2.0.5); #configure, make , make install smb.conf [global] workgroup = JDHTEST log file = /var/log/samba/%m.log os level = 100 preferred master = True dns proxy = No wins proxy = No wins support = No wins server = xxx.xxx.xxx.xxx socket options = TCP_NODELAY passdb backend = smbpasswd domain master = Yes domain logons = Yes [homes] read only = No create mask = 0600 directory mask = 0700 browseable = No #/usr/local/samba/bin/net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-3103833849-850975221-657558829-512) -> domadm Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Users (S-1-5-21-3103833849-850975221-657558829-513) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Domain Guests (S-1-5-21-3103833849-850975221-657558829-514) -> -1 Users (S-1-5-32-545) -> -1 Sten Sletbak -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
