Samba Domain Admins and Group Mapping
Got an odd issue which I think it down to me making a mistake, anyway. Got Samba setup as a PDC and root is mapped to Administrator as normal.
Now, when I add a computer to the domain I normally have to then add the Domain Admins account or the Domain Administrator account itself to the Local Administrators group. Thats fine, I'd prefer not to have to do this but its not such a hardship once its done. The problem I have is that the Domain Admins group appears to actually be mapped to my Administrator/Root account. So basically I type Domain Admins into the Add User to Group screen and once I've applied it, I can see on screen its actually resolved it to the root account. I may have gotten my group mappings incorrect, here is what I think you may need: net groupmap list Domain Users (S-1-5-21-1184068300-3041206941-2639641889-1003) -> staff Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-1000) -> ntadmins /etc/group ntadmins:x:501:root What am I missing? I've been looking at these pages to get this far: http://ubuntuforums.org/showthread.php?t=624901 the above link references: http://support.microsoft.com/kb/243330 The other problem I'm having which I think may be related is this error: Quote: [2009/10/16 09:24:14, 0] auth/auth_util.c:create_builtin_users(810) create_builtin_users: Failed to create Users [2009/10/16 09:24:18, 0] auth/auth_util.c:create_builtin_administrators(844) create_builtin_administrators: Failed to create Administrators Everything appears to be working for people logging in and off, roaming profiles etc. These issues make me think its not quite right. And I did seem to rush the setup a little but now I'm stumped. testparm runs cleanly too. |
Quote:
This is how it looks here: Code:
sudo net groupmap list |
Isn't part of the RID the Domain ID? I realised I'd directly mapped the Domain Admin to root. I then remapped them to a much shorter ID, which I don't have to hand at the moment. Windows doesn't even find it when searching to add domain groups to local groups.
I'll list the ID's I mapped them to here tomorrow and try and remap them with yours but I think I might be getting it wrong. |
The long part is the domain, the last part identifies an object in the domain (i.e. a group, a user, a machine or whatever)
Code:
'S-1-5-21-2249633572-1156581989-1332253273-512' Quote:
See also: SID on Wikipedia |
Then these are probably wrong then:
Code:
[root@server ~]# net groupmap list Added: Got this now, will have to try it next time I'm on a client PC: Code:
Domain Admins (S-1-5-21-1184068300-3041206941-2639641889-512) -> ntadmins |
All times are GMT -5. The time now is 06:01 AM. |