RE [Samba] root != admin domain user?
See on the samba howto collection the chapter 15 User rights and Privileges . You will find the answer. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 23/10/2007 11:36:01 : Hi all, Samba has been running as PDC for some months in a row w/o no issues so far. Users and machines were created and added to the domain correctly... Now I'm facing the following problem... I hope it's easy to solve... Although machines have been added to the domain using the root user, and it's mapped to Administrator in /etc/samba/smbusers, when a situation like connecting to a remote Windows workstation or unlocking a locked session using that user comes, the workstation shows a message telling that I (or the SysAdmin using the root or Administartor account) have no privileges to do that... This is my smb.conf: --- [global] netbios name = v601 server string = Volania Six Dominatrix workgroup = VOLANIASIX.COM ; domain local master browser ; coz we're dealing with Win2k os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes wins support = yes ; misc options socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 time server = yes ; do not show files starting with dots hide dot files = yes ; do not allow guest access, use only local system accounts security = user guest ok = no invalid users = bin deamon sys man postfix mail ftp admin users = @wheel ; use encrypted passwords encrypt passwords = yes ; logging (max log size is in kB) log level = 2 log file = /var/log/samba/log.%L max log size = 1000 debug timestamp = yes syslog = 1 ; user roaming profiles path logon path = \\%N\profiles\%U logon drive = H: ; general logon script (in DOS format) logon script = %u.bat # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts add user script = /usr/sbin/useradd %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/adduser -n -g users -c V6-Windows-Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/groupdel %g username map = /etc/samba/smbusers ; share for domain controller [netlogon] path = /usr/lib/samba/netlogon public = no writeable = no browsable = no valid users = root @smbusers ; share for storing user profiles [profiles] comment = Network Profiles Share path = /usr/lib/samba/profiles writeable = yes store dos attributes = yes create mask = 0700 directory mask = 0700 browsable = no guest ok = no printable = no hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ valid users = root @smbusers [homes] valid users = %S read only = No browseable = No --- # grep wheel /etc/group wheel:x:10:root Any suggestions?? Maybe I've overseen something obvious when Samba was set up as PDC... TIA, Martin -- Martin Mielke - [EMAIL PROTECTED] Sr. SysAdmin at Casino.com p: +34 956785288 | f: +34 956794081 | m: +34 677509693 w: http://www.casino.com/ The contents of this email and any attachments are for the intended recipient(s) only. This email may contain proprietary, confidential, or otherwise private information belonging to Casino.com (hereafter referred to as The Company) or its affiliates. The Company does not take any responsibility for, or endorse any information which does not relate to its official business, including personal mail and/or opinions by senders whether or not they are employed by The Company. If you receive a message that was not intended for you, please notify the sender immediately (or forward the email to [EMAIL PROTECTED]). Do not read, use or disclose the contents in any way and delete the message immediately. The Company will take reasonable precautions but cannot ensure that this e-mail and any attachments will be free of errors, viruses, interception or interference. Therefore The Company can not be held liable for any loss or damages incurred by you which have been caused by any of the foregoing. No undertaking, guarantee or other obligation contained in this email or any attachments will bind The Company unless it is later confirmed in writing. -- To unsubscribe from this list go to the
Re: RE [Samba] root != admin domain user?
Hi, I read the whole chapter and found the magic words :-) --- To obtain the domain SID on a Samba domain controller, run the following command: |root# | net getlocalsid SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 You may assign the domain administrator RID to an account using the |pdbedit| command as shown here: |root# | pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r --- Only the first command runs properly on my site... The second one fails (yes, I changed it to use our domain SID :P ): --- build_sam_pass: Failing attempt to store user with non-uid based user RID. smbpasswd_update_sam_account: build_smb_pass failed! Unable to modify entry! --- google doesn't tell me much... A similar problem has been posted here: http://lists.samba.org/archive/samba/2007-April/131104.html but it seems that Mauricio Silveira never got an answer... @ Mauricio: if you found a solution please post! :-) Any (more) ideas? Cheers, Martin [EMAIL PROTECTED] wrote: See on the samba howto collection the chapter 15 User rights and Privileges . You will find the answer. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 23/10/2007 11:36:01 : Hi all, Samba has been running as PDC for some months in a row w/o no issues so far. Users and machines were created and added to the domain correctly... Now I'm facing the following problem... I hope it's easy to solve... Although machines have been added to the domain using the root user, and it's mapped to Administrator in /etc/samba/smbusers, when a situation like connecting to a remote Windows workstation or unlocking a locked session using that user comes, the workstation shows a message telling that I (or the SysAdmin using the root or Administartor account) have no privileges to do that... This is my smb.conf: --- [global] netbios name = v601 server string = Volania Six Dominatrix workgroup = VOLANIASIX.COM ; domain local master browser ; coz we're dealing with Win2k os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes wins support = yes ; misc options socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 time server = yes ; do not show files starting with dots hide dot files = yes ; do not allow guest access, use only local system accounts security = user guest ok = no invalid users = bin deamon sys man postfix mail ftp admin users = @wheel ; use encrypted passwords encrypt passwords = yes ; logging (max log size is in kB) log level = 2 log file = /var/log/samba/log.%L max log size = 1000 debug timestamp = yes syslog = 1 ; user roaming profiles path logon path = \\%N\profiles\%U logon drive = H: ; general logon script (in DOS format) logon script = %u.bat # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts add user script = /usr/sbin/useradd %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/adduser -n -g users -c V6-Windows-Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/groupdel %g username map = /etc/samba/smbusers ; share for domain controller [netlogon] path = /usr/lib/samba/netlogon public = no writeable = no browsable = no valid users = root @smbusers ; share for storing user profiles [profiles] comment = Network Profiles Share path = /usr/lib/samba/profiles writeable = yes store dos attributes = yes create mask = 0700 directory mask = 0700 browsable = no guest ok = no printable = no hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ valid users = root @smbusers [homes] valid users = %S read only = No browseable = No --- # grep wheel /etc/group wheel:x:10:root Any suggestions?? Maybe I've overseen something obvious when Samba was set up as PDC... TIA, Martin -- Martin Mielke - [EMAIL PROTECTED] Sr. SysAdmin at Casino.com p: +34 956785288 | f: +34 956794081 | m: +34 677509693 w: http://www.casino.com/ The contents of this email and any attachments are for the intended recipient(s) only. This email may contain proprietary, confidential, or otherwise private information belonging to Casino.com (hereafter referred to as The Company) or its affiliates. The Company does not take any responsibility for, or endorse any
RE: [Samba] root != admin domain user?
wel, /snap connecting to a remote Windows workstation or unlocking a locked session using that user comes, the workstation shows a message telling that I (or the SysAdmin using the root or Administartor account) have no privileges to do that... /snap sound correct.. but didnt you forget to 1) put the Domain Administrators group to the remote desktop ( terminal services ) 2) change the local administrators password to the same password as the Domain Administrator 3) enable Terminal services at all. 4) does the account have a password and is it member of the LOCAL Terminal Services group. check al 4 and you will fix it. this is you i work. 1 the Domain user i work with = Domain Admin ( primary group ) 2 Domain Admins are allowed to logon in terminal services. 3 just for backup, my loginname exists also as local user, AND has access to terminal services. this incase the Domain Controller has a problemen and you Must have access to a desktop. Good Luck. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Martin Mielke Verzonden: dinsdag 23 oktober 2007 11:36 Aan: samba@lists.samba.org Onderwerp: [Samba] root != admin domain user? Hi all, Samba has been running as PDC for some months in a row w/o no issues so far. Users and machines were created and added to the domain correctly... Now I'm facing the following problem... I hope it's easy to solve... Although machines have been added to the domain using the root user, and it's mapped to Administrator in /etc/samba/smbusers, when a situation like connecting to a remote Windows workstation or unlocking a locked session using that user comes, the workstation shows a message telling that I (or the SysAdmin using the root or Administartor account) have no privileges to do that... This is my smb.conf: --- [global] netbios name = v601 server string = Volania Six Dominatrix workgroup = VOLANIASIX.COM ; domain local master browser ; coz we're dealing with Win2k os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes wins support = yes ; misc options socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 time server = yes ; do not show files starting with dots hide dot files = yes ; do not allow guest access, use only local system accounts security = user guest ok = no invalid users = bin deamon sys man postfix mail ftp admin users = @wheel ; use encrypted passwords encrypt passwords = yes ; logging (max log size is in kB) log level = 2 log file = /var/log/samba/log.%L max log size = 1000 debug timestamp = yes syslog = 1 ; user roaming profiles path logon path = \\%N\profiles\%U logon drive = H: ; general logon script (in DOS format) logon script = %u.bat # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts add user script = /usr/sbin/useradd %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/adduser -n -g users -c V6-Windows-Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/groupdel %g username map = /etc/samba/smbusers ; share for domain controller [netlogon] path = /usr/lib/samba/netlogon public = no writeable = no browsable = no valid users = root @smbusers ; share for storing user profiles [profiles] comment = Network Profiles Share path = /usr/lib/samba/profiles writeable = yes store dos attributes = yes create mask = 0700 directory mask = 0700 browsable = no guest ok = no printable = no hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ valid users = root @smbusers [homes] valid users = %S read only = No browseable = No --- # grep wheel /etc/group wheel:x:10:root Any suggestions?? Maybe I've overseen something obvious when Samba was set up as PDC... TIA, Martin -- Martin Mielke - [EMAIL PROTECTED] Sr. SysAdmin at Casino.com p: +34 956785288 | f: +34 956794081 | m: +34 677509693 w: http://www.casino.com/ The contents of this email and any attachments are for the intended recipient(s) only. This email may contain proprietary, confidential, or otherwise private information belonging to Casino.com (hereafter referred to as The Company) or its affiliates. The Company does not take any responsibility for, or endorse any information which does not relate to its official business, including personal mail and/or opinions by senders whether or not they are employed by The