How to create local administrators for Windows PCs on Samba PDC
Hi all,
I am using SuSE 11.2's built in Samba and LDAP server (that comes with Yast) on our network. Everything connects fine, I can access shares, I can authenticate correctly, but I just need help on how to create a local admins group so Windows users can install their own software and such. Thanks, Rich |
Where do you want the users to be able to install software. On their own workstations?
|
yes.
|
When you install windows on a computer it always creates some standard groups. One of them is the Administrators group. So if you add your network users to that group, they will be local admin. It is not a real nice way, because you better make a network group, which is added to the Administrators group on the local machine. This way you are able to add users to the network group and they will automatically have admin rights on the windows client.
|
Windows (and therefore Samba) has the concept of local accounts and domain accounts.
Local accounts are created on each Windows machine and must be managed from each machine. Domain accounts are created on a domain controller and must be managed from a domain controller. When a workstation joins a domain, the domain administrator's account is automatically added to the local administrator's group. To give your user administrative privileges on his workstation, you will need to manually add his domain account to the local administrator's group. This is done from his workstation. Right mouse click on my computer -> manage -> local users and groups -> groups. Choose the administrators group and add the domain account to it. I have read of ways to automate this process using scripts but I have never tried any. Giving users administrative control over their machines does carry significant security risks. |
Quote:
So I noticed something based on your suggestion, jamrock. I went into local users/groups > clicked on groups > administrators > and root is not listed as an administrator. root being the account that I used when joining the pc to the domain. I do have a local admin user that was created as a local user before I joined it to the domain. When I login as this user (to the local machine, not to the domain) and go to the local users groups > groups > administrators, I click add > Select this object's type is set to Users or Groups > from this location is set to NMM.local (my domain name) > I click the advanced button > I click find now and a small box pops up asking "Enter a name and password of an account with permissions for NMM.local". I put in root and password of root, making sure it is in this format: nmm.local\root password I am then able to add root and the group employees as local admins and it works. Thanks for the pointer. I will mark this posting as solved in a bit. First I want to make sure it all worked correctly. Rich |
In Samba, the domain root account is mapped to the domain administrator's account.
Add a new machine to the domain. Can you log in as the domain root account and do administrative things such as install software? If you can, you already have local administrative rights on the machine. It should not be necessary to add root to the local administrator's account. You should see the domain administrator there already. Quote:
Be careful how you allow everyone administrative access to all the workstations. This is not a good idea. |
I know root should be mapped as a domain admin. I think it was /etc/samba/smbusers that shows this relationship. However, when I join a computer to the domain using the root account, and reboot, I look under local users and groups > admins, root is not listed. I have to manually add him via the local admin account I created before joining to the domain. Is there any reason you can think why this is the case?
My organization is such that the computers are re-imaged on boot using a PXE server. Having users as local admins is not an issue, but great advice to pass on anyway. Rich |
Quote:
Quote:
You can test this easily. Quote:
|
1 Attachment(s)
I'm sorry, I don't think I'm being very specific. Hopefully this illustrates the issue better than my lackey descriptions. This computer was just re-imaged, and attached to the domain again this morning. I restarted after joining the domain. If you look at the attached image (screen.png), you can see the following:
1) I am logged in as user root (looking at the user name at top of start menu, this is the samba root user account...not a local account) 2) The computer has just been attached to the NMM.local domain (as seen in system properties) 3) there are no domain administrators or root listed in the Local Admins dialog box. 4) I cannot change the system time (the error in the middle that says not enough permissions) Did I miss something as to why my domain account: root is not auto added as a domain admin? Here is the contents of my /etc/samba/smbusers file: # This file allows you to map usernames from the clients to the server. # Unix_name = SMB_name1 SMB_name2 ... # # See section 'username map' in the manual page of smb.conf for more # information. # # This file is _not_ included in the default configuration as it makes the # usage of an user named administrator impossible. root = administrator ;nobody = guest pcguest smbguest |
I see what you mean. This is unusual.
How did you create your Samba users in LDAP? |
I use the package ldapsmb. Though, I originally created the samba root user by doing
smbpasswd -a root adding a user, I use this syntax: ldapsmb -a -u userName --passwd 'passwordHere' --makehomedir -s (the -s promotes it to a samba account. I leave it off for my 'Linux Only' users). I can achieve the same results in Yast by going to users-groups > LDAP users > creating the user and making sure it uses the Samba pam module in advanced settings. Rich |
I set up Samba domain controllers differently so I can be of little help with this.
I use the steps listed in Chapter 5 of Samba By Example http://www.samba.org/samba/docs/man/...ide/happy.html That approach uses the smbldap-tools to create the users in OpenLDAP. Here are some thoughts to bear in mind. Each Windows user and group has a SID or security identifier. This SID consists of the domain's SID and some additional characters. Windows has some pre-defined groups such as domain users, domain administrators and domain computers. These are know as the "well known security identifiers". The smbldap-tools create all of these for you in OpenLDAP. This Microsoft document lists the well known security identifiers. http://support.microsoft.com/kb/243330 I don't know if these exist in your user database. Note that your screen shot shows the security identifier for the domain admins group instead of the name of the group. Quote:
|
All times are GMT -5. The time now is 03:07 AM. |