By the way, it can be a bug in the new version of OpenLDAP, or a permission problem (Samba is unable to read a required attribute etc.). Check the OpenLDAP list, or post a bugreport, if you haven't already done so.
2008/7/23 Jeroen Vriesman <[EMAIL PROTECTED]>: > Thanks for the reply, > > I did check that, I should have posted that in the original mail. > > The group ends with -512, and, has gid 512, my 'administrator' account is > called root, but this is about the members of the 'Domain Admins" group, the > group maps to 'Domain Admins' (I use pam/nssldap config, where 'getent > group' shows all the ldap groups as local groups, so the map is ok by > default). > > Before the ldap upgrade it worked, and the ldap data is exactly the same. > > So I'm a bit lost, I do have the schema with sambaSID SUB and a sub index > on sambaSID, the schema's are also the same as in the old situation. > > cheers, > Jeroen. > > > > On Tue, Jul 22, 2008 at 8:02 PM, kissg <[EMAIL PROTECTED]> wrote: > >> Check the GID of your Domain Admins group. It should end with "512" and >> should be mapped to a UNIX group which have a GID of the same value. If it's >> anything else, that can be a reason why your admin users actually don't have >> administrator rights on the client machines. >> >> Run the following command to see how your group mappings look like: >> >> net groupmap list >> >> You should see the number 512 at the end of the Domain Admins SID. >> >> After you have verified, that your Domain Admins group has the appropriate >> SID, check the UID and GID of an administrative user, for example: >> >> id administrator >> >> You should see "gid=512" in the output of the command. >> >> Regards >> Gergely Kiss >> >> 2008/7/22 Jeroen Vriesman <[EMAIL PROTECTED]>: >> >>> Hi list, >>> >>> after upgrading our ldap server, the Domain Admins group doesn't work >>> anymore. >>> >>> Members of the domain admins group don't have any special rights on the >>> workstations (for example, they cannot even change the date of a machine >>> in >>> the >>> domain anymore). >>> >>> When I lookup the group members I get: >>> >>> [EMAIL PROTECTED]:/etc/samba# net rpc group members 'Domain Admins' >>> Password: >>> HIVOS.NL\root >>> HIVOS.NL\foctaaf >>> HIVOS.NL\lhilarides >>> HIVOS.NL\administrator >>> HIVOS.NL\executor >>> HIVOS.NL\fbodijn >>> HIVOS.NL\psomer >>> HIVOS.NL\jvriesman >>> >>> And the rights of the group: >>> [EMAIL PROTECTED]:/etc/samba# net rpc rights list 'Domain Admins' >>> Password: >>> SeMachineAccountPrivilege >>> SeRemoteShutdownPrivilege >>> SePrintOperatorPrivilege >>> SeAddUsersPrivilege >>> SeDiskOperatorPrivilege >>> >>> That seems ok, but when I lookup the rights of a member of the Domain >>> Admins >>> group: >>> >>> [EMAIL PROTECTED]:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman' >>> Password: >>> SeAddUsersPrivilege >>> >>> [EMAIL PROTECTED]:/etc/samba# net rpc rights list 'HIVOS.NL\psomer' >>> Password: >>> <nothing here> >>> >>> Any idea why members of the Domain Admin group do not get the rights of >>> the >>> group? >>> >>> cheers, >>> Jeroen. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/listinfo/samba >>> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
