Re: [Samba] Administrative users on domain
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with older version of samba, the Administrator account was implicit, and you could map the windows Administrator to the unix root account and all was OK. With
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U
Re: [Samba] Administrative users on domain
On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 04:33 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am
Re: [Samba] Administrative users on domain
Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Administrative users on domain
Back in January we upgraded/moved our domain from an old install of samba and openldap to a newer version (samba 3.5.10 and openldap 2.4.23) while also moving our domain to a new name. On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain and when the prompt came up in windows to install software we could log in as ourselves. However that is not the case on the new domain and I cannot figure out how to set that back up. I have looked at the docs on samba rights (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html) but it seems I am missing something since when I type: net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername it returns: Failed to grant privileges for MDAH\Domain Admins (NT_STATUS_NO_SUCH_USER) superusername is our superuser account that we have to currently type in to join machines to join the domain. However when installing software we have to log in as local administrator or do a MACHINENAME\Administrator and it's password to install software. Any pointers? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
