domain admin group in samba 3? - SMB
This is a discussion on domain admin group in samba 3? - SMB ; What is the samba 3 (as in 3.0.10) equivalent to "domain admin group"?
It seems that it does not like if I have something like this
[global]
domain admin group = @sambaadmin
in my smb.conf:
[root@moss samba]# testparm
Load smb ...
-
domain admin group in samba 3?
What is the samba 3 (as in 3.0.10) equivalent to "domain admin group"?
It seems that it does not like if I have something like this
[global]
domain admin group = @sambaadmin
in my smb.conf:
[root@moss samba]# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "domain admin group"
Ignoring unknown parameter "domain admin group"
Processing section "[homes]"
[...]
--
Mauricio raub-kudria-com
(if you need to email me, use this address =)
-
Re: domain admin group in samba 3?
Mauricio Tavares wrote:
> What is the samba 3 (as in 3.0.10) equivalent to "domain admin group"?
> It seems that it does not like if I have something like this
>
> [global]
> domain admin group = @sambaadmin
>
Yes, you will have to groupmap the "Domain Admins" windows builtin group to
a proper unix group. "man net /groupmap" should give some help.
--
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**React ivate*MS*software.
Linux woodpecker.homnet.at 2.6.11-mm4[LinuxCounter#295241,ICQ#4918962]
-
Re: domain admin group in samba 3?
Walter Mautner wrote in
news:63o2n2-pjk.ln1@woodpecker.homnet.at:
> Mauricio Tavares wrote:
>
>> What is the samba 3 (as in 3.0.10) equivalent to "domain admin
>> group"? It seems that it does not like if I have something like this
>>
>> [global]
>> domain admin group = @sambaadmin
>>
> Yes, you will have to groupmap the "Domain Admins" windows builtin
> group to a proper unix group. "man net /groupmap" should give some
> help.
So, you mean if I define sambaadmin as
[root@moss ~]# fgrep sambaadmin /etc/group
sambaadmin:x:502:root,teleforms,chris,mauricio
[root@moss ~]#
I should have something like
[root@moss ~]# net groupmap add ntgroup="Domain Admins"
unixgroup=sambaadmin type=domain
No rid or sid specified, choosing algorithmic mapping
Successully added group Domain Admins to the mapping db
[root@moss ~]#
? Reading http://info.ccone.at/INFO/Samba/groupmapping.html, table 12.1, I
was wondering if I have to add the rid to the above statement
-
Re: domain admin group in samba 3?
Mauricio wrote:
.....
> So, you mean if I define sambaadmin as
>
> [root@moss ~]# fgrep sambaadmin /etc/group
> sambaadmin:x:502:root,teleforms,chris,mauricio
> [root@moss ~]#
>
> I should have something like
>
> [root@moss ~]# net groupmap add ntgroup="Domain Admins"
> unixgroup=sambaadmin type=domain
> No rid or sid specified, choosing algorithmic mapping
> Successully added group Domain Admins to the mapping db
> [root@moss ~]#
>
> ? Reading http://info.ccone.at/INFO/Samba/groupmapping.html, table 12.1, I
> was wondering if I have to add the rid to the above statement
Hmm, since "Domain Admins" is a predefined group (always has RID 512) I
guess samba does the right thing. Just check with "net groupmap list".
--
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**React ivate*MS*software.
Linux woodpecker.homnet.at 2.6.11-mm4[LinuxCounter#295241,ICQ#4918962]
-
Re: domain admin group in samba 3?
Walter Mautner wrote:
> Mauricio wrote:
>
> ....
>
>> So, you mean if I define sambaadmin as
>>
>>[root@moss ~]# fgrep sambaadmin /etc/group
>>sambaadmin:x:502:root,teleforms,chris,mauricio
>>[root@moss ~]#
>>
>>I should have something like
>>
>>[root@moss ~]# net groupmap add ntgroup="Domain Admins"
>>unixgroup=sambaadmin type=domain
>>No rid or sid specified, choosing algorithmic mapping
>>Successully added group Domain Admins to the mapping db
>>[root@moss ~]#
>>
>>? Reading http://info.ccone.at/INFO/Samba/groupmapping.html, table 12.1, I
>>was wondering if I have to add the rid to the above statement
>
>
> Hmm, since "Domain Admins" is a predefined group (always has RID 512) I
> guess samba does the right thing. Just check with "net groupmap list".
I guess it seems to be there:
[root@moss ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-3424750445-3318858004-1974777301-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-11055) ->
sambaadmin
Power Users (S-1-5-32-547) -> -1
Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-512) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-3424750445-3318858004-1974777301-514) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
[root@moss ~]#
But, when I, say log in as teleforms in a given machine and try to run a
program that needs to be run from an user with enough permissions to
write to the Programs directory in c:. Well, it is not able to write to
its temporary files (they are in its app directory; do nto ask me why).
So, which is the minimum permission I need to do that? I know this is
more of a Windows question but I am rather clueless today. =D
--
Mauricio raub-kudria-com
(if you need to email me, use this address =)
-
Re: domain admin group in samba 3?
Mauricio Tavares wrote:
>> Hmm, since "Domain Admins" is a predefined group (always has RID 512) I
>> guess samba does the right thing. Just check with "net groupmap list".
>
>
> I guess it seems to be there:
>
> [root@moss ~]# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Domain Users (S-1-5-21-3424750445-3318858004-1974777301-513) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-11055) ->
> sambaadmin
> Power Users (S-1-5-32-547) -> -1
> Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-512) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Guests (S-1-5-21-3424750445-3318858004-1974777301-514) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> [root@moss ~]#
Update: I just lookat at what I wrote above and realized now my samba
domain has *two* Domain Admin groups, one with rid=512 and a newly
created one with rid=11055. What is going on here? So, I then tried to
put the sambaadmin group in the group with the right rid:
[root@moss ~]# net groupmap add ntgroup="Domain Admins" rid=512
unixgroup=sambaadmin
adding entry for group Domain Admins failed!
[root@moss ~]#
Can't say I am feeling particularly happy.Any reason why I should not be
able to add my unixgroup to the right ntgroup with the right rid?
--
Mauricio raub-kudria-com
(if you need to email me, use this address =)
-
Re: domain admin group in samba 3?
Mauricio Tavares wrote:
> Mauricio Tavares wrote:
>>> Hmm, since "Domain Admins" is a predefined group (always has RID 512) I
>>> guess samba does the right thing. Just check with "net groupmap list".
>>
>>
>> I guess it seems to be there:
>>
>> [root@moss ~]# net groupmap list
>> System Operators (S-1-5-32-549) -> -1
>> Domain Users (S-1-5-21-3424750445-3318858004-1974777301-513) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> Guests (S-1-5-32-546) -> -1
>> Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-11055) ->
>> sambaadmin
.....
>> Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-512) -> -1
.....
> Update: I just lookat at what I wrote above and realized now my samba
> domain has *two* Domain Admin groups, one with rid=512 and a newly
> created one with rid=11055. What is going on here? So, I then tried to
> put the sambaadmin group in the group with the right rid:
>
> [root@moss ~]# net groupmap add ntgroup="Domain Admins" rid=512
> unixgroup=sambaadmin
> adding entry for group Domain Admins failed!
> [root@moss ~]#
>
Since you already have had a "Domain Admins" group, you would rather want
"net groupmap modify" instead. Look for the syntax of this command, and
also "net groupmap delete" as I think you will have to trash the
superfluous 2nd group.
--
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**React ivate*MS*software.
Linux woodpecker.homnet.at 2.6.11-mm4[LinuxCounter#295241,ICQ#4918962]
-
Re: domain admin group in samba 3?
Walter Mautner wrote:
> Mauricio Tavares wrote:
>
>
> Since you already have had a "Domain Admins" group, you would rather want
> "net groupmap modify" instead. Look for the syntax of this command, and
> also "net groupmap delete" as I think you will have to trash the
> superfluous 2nd group.
It worked:
[root@moss ~]# net groupmap modify ntgroup="Domain Admins"
unixgroup=sambaadmin
Updated mapping entry for Domain Admins
[root@moss ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-3424750445-3318858004-1974777301-513) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Domain Admins (S-1-5-21-3424750445-3318858004-1974777301-512) -> sambaadmin
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-3424750445-3318858004-1974777301-514) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
[root@moss ~]#
Thanks!
--
Mauricio raub-kudria-com
(if you need to email me, use this address =)
