LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-18-2010, 11:25 AM   #1
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Rep: Reputation: 7
How to create local administrators for Windows PCs on Samba PDC


Hi all,

I am using SuSE 11.2's built in Samba and LDAP server (that comes with Yast) on our network. Everything connects fine, I can access shares, I can authenticate correctly, but I just need help on how to create a local admins group so Windows users can install their own software and such.

Thanks,
Rich
 
Old 10-18-2010, 02:36 PM   #2
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Where do you want the users to be able to install software. On their own workstations?
 
Old 10-19-2010, 01:00 AM   #3
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
yes.
 
Old 10-19-2010, 03:39 AM   #4
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
When you install windows on a computer it always creates some standard groups. One of them is the Administrators group. So if you add your network users to that group, they will be local admin. It is not a real nice way, because you better make a network group, which is added to the Administrators group on the local machine. This way you are able to add users to the network group and they will automatically have admin rights on the windows client.
 
Old 10-19-2010, 07:39 AM   #5
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Windows (and therefore Samba) has the concept of local accounts and domain accounts.

Local accounts are created on each Windows machine and must be managed from each machine.

Domain accounts are created on a domain controller and must be managed from a domain controller.

When a workstation joins a domain, the domain administrator's account is automatically added to the local administrator's group. To give your user administrative privileges on his workstation, you will need to manually add his domain account to the local administrator's group. This is done from his workstation.

Right mouse click on my computer -> manage -> local users and groups -> groups.

Choose the administrators group and add the domain account to it.

I have read of ways to automate this process using scripts but I have never tried any.

Giving users administrative control over their machines does carry significant security risks.

Last edited by jamrock; 10-19-2010 at 07:49 AM.
 
Old 10-20-2010, 11:21 AM   #6
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
Quote:
When a workstation joins a domain, the domain administrator's account is automatically added to the local administrator's group.
I fixed it with your help!, but....

So I noticed something based on your suggestion, jamrock. I went into local users/groups > clicked on groups > administrators > and root is not listed as an administrator. root being the account that I used when joining the pc to the domain. I do have a local admin user that was created as a local user before I joined it to the domain. When I login as this user (to the local machine, not to the domain) and go to the local users groups > groups > administrators, I click add > Select this object's type is set to Users or Groups > from this location is set to NMM.local (my domain name) > I click the advanced button > I click find now and a small box pops up asking "Enter a name and password of an account with permissions for NMM.local". I put in root and password of root, making sure it is in this format:

nmm.local\root
password

I am then able to add root and the group employees as local admins and it works. Thanks for the pointer. I will mark this posting as solved in a bit. First I want to make sure it all worked correctly.

Rich
 
Old 10-20-2010, 07:50 PM   #7
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
In Samba, the domain root account is mapped to the domain administrator's account.

Add a new machine to the domain. Can you log in as the domain root account and do administrative things such as install software? If you can, you already have local administrative rights on the machine.

It should not be necessary to add root to the local administrator's account. You should see the domain administrator there already.

Quote:
I am then able to add root and the group employees as local admins and it works.
This will give all members of the employee group administrative access to the machine. Do you want all your employees to have administrative rights on this machine? Do you want just the person who uses the machine to have administrative rights?

Be careful how you allow everyone administrative access to all the workstations. This is not a good idea.
 
Old 10-21-2010, 12:32 AM   #8
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
I know root should be mapped as a domain admin. I think it was /etc/samba/smbusers that shows this relationship. However, when I join a computer to the domain using the root account, and reboot, I look under local users and groups > admins, root is not listed. I have to manually add him via the local admin account I created before joining to the domain. Is there any reason you can think why this is the case?

My organization is such that the computers are re-imaged on boot using a PXE server. Having users as local admins is not an issue, but great advice to pass on anyway.

Rich
 
Old 10-21-2010, 06:45 AM   #9
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
Quote:
Originally Posted by unassassinable View Post
I know root should be mapped as a domain admin. I think it was /etc/samba/smbusers that shows this relationship. However, when I join a computer to the domain using the root account, and reboot, I look under local users and groups > admins, root is not listed.
This is normal behavior. Note that root = administrator. If you see the domain administrator, then root is there.


Quote:
Originally Posted by unassassinable View Post
I have to manually add him via the local admin account I created before joining to the domain.
I have never done this and my domain root account has full administrative privileges over all the workstations.

You can test this easily.

Quote:
Add a new machine to the domain. Can you log in as the domain root account and do administrative things such as install software? If you can, you already have local administrative rights on the machine.

Last edited by jamrock; 10-21-2010 at 06:46 AM.
 
Old 10-21-2010, 03:58 PM   #10
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
I'm sorry, I don't think I'm being very specific. Hopefully this illustrates the issue better than my lackey descriptions. This computer was just re-imaged, and attached to the domain again this morning. I restarted after joining the domain. If you look at the attached image (screen.png), you can see the following:

1) I am logged in as user root (looking at the user name at top of start menu, this is the samba root user account...not a local account)
2) The computer has just been attached to the NMM.local domain (as seen in system properties)
3) there are no domain administrators or root listed in the Local Admins dialog box.
4) I cannot change the system time (the error in the middle that says not enough permissions)

Did I miss something as to why my domain account: root is not auto added as a domain admin? Here is the contents of my /etc/samba/smbusers file:

# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.

root = administrator
;nobody = guest pcguest smbguest
Attached Images
File Type: png screen.PNG (106.5 KB, 7 views)
 
Old 10-21-2010, 10:06 PM   #11
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
I see what you mean. This is unusual.

How did you create your Samba users in LDAP?

Last edited by jamrock; 10-21-2010 at 10:07 PM.
 
Old 10-21-2010, 11:52 PM   #12
unassassinable
Member
 
Registered: Sep 2010
Posts: 46

Original Poster
Rep: Reputation: 7
I use the package ldapsmb. Though, I originally created the samba root user by doing

smbpasswd -a root

adding a user, I use this syntax:

ldapsmb -a -u userName --passwd 'passwordHere' --makehomedir -s (the -s promotes it to a samba account. I leave it off for my 'Linux Only' users). I can achieve the same results in Yast by going to users-groups > LDAP users > creating the user and making sure it uses the Samba pam module in advanced settings.

Rich
 
Old 10-22-2010, 09:10 AM   #13
jamrock
Member
 
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444

Rep: Reputation: 41
I set up Samba domain controllers differently so I can be of little help with this.

I use the steps listed in Chapter 5 of Samba By Example
http://www.samba.org/samba/docs/man/...ide/happy.html

That approach uses the smbldap-tools to create the users in OpenLDAP.

Here are some thoughts to bear in mind.

Each Windows user and group has a SID or security identifier. This SID consists of the domain's SID and some additional characters.

Windows has some pre-defined groups such as domain users, domain administrators and domain computers. These are know as the "well known security identifiers". The smbldap-tools create all of these for you in OpenLDAP.

This Microsoft document lists the well known security identifiers.

http://support.microsoft.com/kb/243330

I don't know if these exist in your user database. Note that your screen shot shows the security identifier for the domain admins group instead of the name of the group.

Quote:
SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
You may want to try setting up Samba the way that Samba by Example does. Use a test server until you get everything working properly.
 
  


Reply

Tags
samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange problem with local permissions on WinXP using a Samba PDC with LDAP backend qtac Linux - Networking 2 09-08-2009 11:33 PM
Samba pdc- use ONLY local profiles? bluesky2005 Linux - Server 0 04-11-2009 10:22 PM
samba pdc trust with windows 2003 server pdc samba_pk Linux - Networking 1 06-08-2007 01:22 AM
How to keep local profiles in Samba PDC domain DimaA Linux - Networking 2 01-10-2007 09:46 AM
Samba PDC: i can't create shares on win box dbos Linux - Software 6 08-15-2002 11:01 PM


All times are GMT -5. The time now is 09:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration