Re: [Samba] domain group mapping in 3.0.23a issues

2006-08-04 Thread Chris 
On Friday 04 August 2006 14:24, Chris wrote:
 If not, why might members of the domadm group (as in the second
 example) not have admin priveleges when logging onto the domain?

I figured this part outspecific RID's are needed for certain groups. 
With previous versions the correct RID's were assigned and only mapping 
needed to be done. Why was this ever dropped?

Also when mapping something such as Domain Admins should the type 
be builtin? Or is this effectively deprecated as there effectively 
are no builtin groups anymore?

Thanks,

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] domain group mapping in 3.0.23a issues

2006-08-04 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chris wrote:
 On Friday 04 August 2006 14:24, Chris wrote:
 If not, why might members of the domadm group (as in the second
 example) not have admin priveleges when logging onto the domain?
 
 I figured this part outspecific RID's are needed 
 for certain groups.  With previous versions the correct RID's
 were assigned and only mapping  needed to be done. Why
 was this ever dropped?

Inconsistent behavior depending on the passdb backend.
You can create built in groups using 'net sam createbuiltingroup name'

 Also when mapping something such as Domain Admins 
 should the type  be builtin? Or is this effectively
 deprecated as there effectively  are no builtin
 groups anymore?

Don't confuse BUILTIN groups with prepopulated mapping entries.
To create a domain admins mapping, run

net groupmap add rid=513 unixgroup=foo






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE05umIR7qMdg1EfYRAnaSAKCixz5sGL34Ccvw+ODhdXXBJSvBcwCgrN4E
x0UkAeIatlI0Iez6ucDseCM=
=tEvW
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] domain group mapping in 3.0.23a issues

2006-08-04 Thread John Mason 

Hey, I use the exact same samba version as you... I'm waiting for the 3.0.23b 
or higher but anyway..

In addition to net groupmap commands, you'll need to look at net rpc rights 
commands for any other-than-admin rights.
It seems samba (and someone correct me if I'm wrong) does the windows 
compatible thing that RID 512 is the admin group.. so use net groupmap add to 
associate the 512 RID to some unix-group. 513 is Domain Users, 514 is Domain 
Guests, and 515 is Domain Computers.

And then for basic rights, check these out:
for instance, this will list the rights that are supported:

[EMAIL PROTECTED] ~ ]  net rpc -U root -S pdc rights list
Password:
 SeMachineAccountPrivilege  Add machines to domain
  SeTakeOwnershipPrivilege  Take ownership of files or other objects
 SeBackupPrivilege  Back up files and directories
SeRestorePrivilege  Restore files and directories
 SeRemoteShutdownPrivilege  Force shutdown from a remote system
  SePrintOperatorPrivilege  Manage printers
   SeAddUsersPrivilege  Add users and groups to the domain
   SeDiskOperatorPrivilege  Manage disk shares

Then, to grant rights to a user (or a group):
net rpc -U root -S pdc rights grant DOMAIN/USER_OR_GROUP 
SeTakeOwnershipPrivilege ...


Then to revoke, use revoke in place of grant.

Hope this helps.
JAM


-Original Message-
From: [EMAIL PROTECTED] on behalf of Chris
Sent: Fri 8/4/2006 1:24 PM
To: samba@lists.samba.org
Subject: [Samba] domain group mapping in 3.0.23a issues
 
How does one create all of the builtin groups for this release?

When using tdbsam with previous releases one would automatically get 
such groups as:

System Operators (S-1-5-32-549) - -1
Replicators (S-1-5-32-552) - -1
Guests (S-1-5-32-546) - -1
Domain Admins (S-1-5-21-1832519723-2688400599-3493754984-512) - 
domadmin
Domain Guests (S-1-5-21-1832519723-2688400599-3493754984-514) - nobody
Power Users (S-1-5-32-547) - -1
Print Operators (S-1-5-32-550) - prtadmin
Administrators (S-1-5-32-544) - -1
Account Operators (S-1-5-32-548) - -1
Domain Users (S-1-5-21-1832519723-2688400599-3493754984-513) - agent
Backup Operators (S-1-5-32-551) - -1
Users (S-1-5-32-545) - -1

I can manually map groups such as:

Domain Admins (S-1-5-21-1043961623-2377510293-736199847-1001) - domadm
Domain Guests (S-1-5-21-1043961623-2377510293-736199847-1003) - nobody
Domain Users (S-1-5-21-1043961623-2377510293-736199847-1002) - users
Print Operators (S-1-5-21-1043961623-2377510293-736199847-1004) - 
prtadm

But for some reason members of the domadm group are not receiving admin 
priviledges when logging on.

Is the existence -1 groups necessary?
If so how does one create them?
If not, why might members of the domadm group (as in the second example) 
not have admin priveleges when logging onto the domain?

Thanks,

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba