LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to create local administrators for Windows PCs on Samba PDC (https://www.linuxquestions.org/questions/linux-server-73/how-to-create-local-administrators-for-windows-pcs-on-samba-pdc-838842/)

unassassinable 10-18-2010 11:25 AM

How to create local administrators for Windows PCs on Samba PDC
 
Hi all,

I am using SuSE 11.2's built in Samba and LDAP server (that comes with Yast) on our network. Everything connects fine, I can access shares, I can authenticate correctly, but I just need help on how to create a local admins group so Windows users can install their own software and such.

Thanks,
Rich

jamrock 10-18-2010 02:36 PM

Where do you want the users to be able to install software. On their own workstations?

unassassinable 10-19-2010 01:00 AM

yes.

Blue_Ice 10-19-2010 03:39 AM

When you install windows on a computer it always creates some standard groups. One of them is the Administrators group. So if you add your network users to that group, they will be local admin. It is not a real nice way, because you better make a network group, which is added to the Administrators group on the local machine. This way you are able to add users to the network group and they will automatically have admin rights on the windows client.

jamrock 10-19-2010 07:39 AM

Windows (and therefore Samba) has the concept of local accounts and domain accounts.

Local accounts are created on each Windows machine and must be managed from each machine.

Domain accounts are created on a domain controller and must be managed from a domain controller.

When a workstation joins a domain, the domain administrator's account is automatically added to the local administrator's group. To give your user administrative privileges on his workstation, you will need to manually add his domain account to the local administrator's group. This is done from his workstation.

Right mouse click on my computer -> manage -> local users and groups -> groups.

Choose the administrators group and add the domain account to it.

I have read of ways to automate this process using scripts but I have never tried any.

Giving users administrative control over their machines does carry significant security risks.

unassassinable 10-20-2010 11:21 AM

Quote:

When a workstation joins a domain, the domain administrator's account is automatically added to the local administrator's group.
I fixed it with your help!, but....

So I noticed something based on your suggestion, jamrock. I went into local users/groups > clicked on groups > administrators > and root is not listed as an administrator. root being the account that I used when joining the pc to the domain. I do have a local admin user that was created as a local user before I joined it to the domain. When I login as this user (to the local machine, not to the domain) and go to the local users groups > groups > administrators, I click add > Select this object's type is set to Users or Groups > from this location is set to NMM.local (my domain name) > I click the advanced button > I click find now and a small box pops up asking "Enter a name and password of an account with permissions for NMM.local". I put in root and password of root, making sure it is in this format:

nmm.local\root
password

I am then able to add root and the group employees as local admins and it works. Thanks for the pointer. I will mark this posting as solved in a bit. First I want to make sure it all worked correctly.

Rich

jamrock 10-20-2010 07:50 PM

In Samba, the domain root account is mapped to the domain administrator's account.

Add a new machine to the domain. Can you log in as the domain root account and do administrative things such as install software? If you can, you already have local administrative rights on the machine.

It should not be necessary to add root to the local administrator's account. You should see the domain administrator there already.

Quote:

I am then able to add root and the group employees as local admins and it works.
This will give all members of the employee group administrative access to the machine. Do you want all your employees to have administrative rights on this machine? Do you want just the person who uses the machine to have administrative rights?

Be careful how you allow everyone administrative access to all the workstations. This is not a good idea.

unassassinable 10-21-2010 12:32 AM

I know root should be mapped as a domain admin. I think it was /etc/samba/smbusers that shows this relationship. However, when I join a computer to the domain using the root account, and reboot, I look under local users and groups > admins, root is not listed. I have to manually add him via the local admin account I created before joining to the domain. Is there any reason you can think why this is the case?

My organization is such that the computers are re-imaged on boot using a PXE server. Having users as local admins is not an issue, but great advice to pass on anyway.

Rich

jamrock 10-21-2010 06:45 AM

Quote:

Originally Posted by unassassinable (Post 4134350)
I know root should be mapped as a domain admin. I think it was /etc/samba/smbusers that shows this relationship. However, when I join a computer to the domain using the root account, and reboot, I look under local users and groups > admins, root is not listed.

This is normal behavior. Note that root = administrator. If you see the domain administrator, then root is there.


Quote:

Originally Posted by unassassinable (Post 4134350)
I have to manually add him via the local admin account I created before joining to the domain.

I have never done this and my domain root account has full administrative privileges over all the workstations.

You can test this easily.

Quote:

Add a new machine to the domain. Can you log in as the domain root account and do administrative things such as install software? If you can, you already have local administrative rights on the machine.

unassassinable 10-21-2010 03:58 PM

1 Attachment(s)
I'm sorry, I don't think I'm being very specific. Hopefully this illustrates the issue better than my lackey descriptions. This computer was just re-imaged, and attached to the domain again this morning. I restarted after joining the domain. If you look at the attached image (screen.png), you can see the following:

1) I am logged in as user root (looking at the user name at top of start menu, this is the samba root user account...not a local account)
2) The computer has just been attached to the NMM.local domain (as seen in system properties)
3) there are no domain administrators or root listed in the Local Admins dialog box.
4) I cannot change the system time (the error in the middle that says not enough permissions)

Did I miss something as to why my domain account: root is not auto added as a domain admin? Here is the contents of my /etc/samba/smbusers file:

# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.

root = administrator
;nobody = guest pcguest smbguest

jamrock 10-21-2010 10:06 PM

I see what you mean. This is unusual.

How did you create your Samba users in LDAP?

unassassinable 10-21-2010 11:52 PM

I use the package ldapsmb. Though, I originally created the samba root user by doing

smbpasswd -a root

adding a user, I use this syntax:

ldapsmb -a -u userName --passwd 'passwordHere' --makehomedir -s (the -s promotes it to a samba account. I leave it off for my 'Linux Only' users). I can achieve the same results in Yast by going to users-groups > LDAP users > creating the user and making sure it uses the Samba pam module in advanced settings.

Rich

jamrock 10-22-2010 09:10 AM

I set up Samba domain controllers differently so I can be of little help with this.

I use the steps listed in Chapter 5 of Samba By Example
http://www.samba.org/samba/docs/man/...ide/happy.html

That approach uses the smbldap-tools to create the users in OpenLDAP.

Here are some thoughts to bear in mind.

Each Windows user and group has a SID or security identifier. This SID consists of the domain's SID and some additional characters.

Windows has some pre-defined groups such as domain users, domain administrators and domain computers. These are know as the "well known security identifiers". The smbldap-tools create all of these for you in OpenLDAP.

This Microsoft document lists the well known security identifiers.

http://support.microsoft.com/kb/243330

I don't know if these exist in your user database. Note that your screen shot shows the security identifier for the domain admins group instead of the name of the group.

Quote:

SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
You may want to try setting up Samba the way that Samba by Example does. Use a test server until you get everything working properly.


All times are GMT -5. The time now is 03:07 AM.