LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-03-2006, 05:35 AM   #1
essdeeay
Member
 
Registered: Aug 2004
Location: United Kingdom
Distribution: Debian
Posts: 88

Rep: Reputation: 15
Smile Various Samba questions...


Currently I have bodged my way through setting up Samba 3.0.22, with the help of the official reference guide. It tells you everything *except* a step-by-step howto.

At the moment, I am able to join windows clients to my domain only if I specify root and root's password (so I know the 'add machine script' works). But I want the account 'administrator' to be able to do this instead.

'administrator' exists as both a Linux account (just a plain old user), and in smbpasswd, with the same password. It it also a member of the Linux group 'ntadmins' which I've mapped to "Domain Admins".

1.
Why do I need this group mapping anyway?

2.
Why does joining a domain fail when using the aforementioned administrator account? The failure message is "The machine account for this computer either does not exist or is inaccessible", which suggests to me the add machine script isn't running (although it does when I use root to join the domain)

3.
Did I really have to use 'net rpc join' on my Samba PDC to make it join it's own domain?

Many thanks,
Steve
 
Old 07-08-2006, 11:21 PM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Not entirely sure this is of any help, but the windows administrator has a capitol 'A' which might cause problems. I know when I was joining linux machines to a 2003 domain, kinit required Administrator@domain.com, using the lowercase 'a' would always fail. That might be more kerberos related though
 
Old 07-09-2006, 10:31 PM   #3
essdeeay
Member
 
Registered: Aug 2004
Location: United Kingdom
Distribution: Debian
Posts: 88

Original Poster
Rep: Reputation: 15
Thumbs up

Well, I have managed to answer some of my own questions...

Quote:
Originally Posted by essdeeay
At the moment, I am able to join windows clients to my domain only if I specify root and root's password (so I know the 'add machine script' works). But I want the account 'administrator' to be able to do this instead.
Either of these 2 methods work, but I chose #1.

1)
My Samba 'administrator' user needs to be configured with the well-known RID of the Windows Domain Administrator (which is 500), and preferably with the Primary group RID for the Windows Domain Admins (which is 512). You can do this by extracting the domain SID using net getlocalsid, then using that SID in the pdbedit command to update the 'administrator' account information: pdbedit -U <localsid>-500 -G <localsid>-512 –r -u administrator.

However, on 2 separate platforms, editing the already existing user corrupted the tdbsam database, so to get around this I removed that Samba account, and re-added it again but giving it it's RID values as part of the add command. To do that, use the above pdbedit command, substituting -r (update), with -a (add).

2)
Samba 3.0.11 introduced support for the Windows privilege model. This model allows certain rights to be assigned to a user or group SID. In order to enable this feature, enable privileges = yes must be defined in the global section of the smb.conf file.

Using the net rpc rights utility, you can grant any or all of the following Windows specific privileges to (in my case), the Samba 'administrator' account. These are currently the only privileges supported up to Samba 3.0.22, and the particular one for adding machines to a domain is SeMachineAccountPrivilege.

SeMachineAccountPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SePrintOperatorPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege

The syntax to use would be net rpc rights grant administrator SeMachineAccountPrivilege

To use the command, the 'root' user must exist as a Samba account (the password doesn't have to be the same as the Unix password), and you will be prompted to supply this password when the command is executed. If you like, you can remove the 'Samba' root user afterwards.

Quote:
Originally Posted by essdeeay
'administrator' exists as both a Linux account (just a plain old user), and in smbpasswd, with the same password. It is also a member of the Linux group 'ntadmins' which I've mapped to "Domain Admins".

Why do I need this group mapping anyway?
The group mapping is not strictly necessary, but highly recommended and common sense. You will probably want/need to set UNIX permissions on files shared by Samba. If you connect to Samba with an account that is a member of Domain Admins, your file access permissions will be governed by the mapped UNIX group (in my case 'ntadmins').

Quote:
Originally Posted by essdeeay
Why does joining a domain fail when using the aforementioned administrator account?
Because the 'administrator' account didn't have the necessary privileges to execute the 'add machine script' in Samba. Following one of the solutions listed above will sort this problem.

Quote:
Originally Posted by essdeeay
Did I really have to use 'net rpc join' on my Samba PDC to make it join it's own domain?
I still don't know that one... any ideas?

I hope my answers may be of help to others out there.

Many thanks,
Steve
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SAMBA questions gulo Linux - Networking 2 09-07-2004 06:28 PM
Samba questions subaruwrx Linux - Networking 13 07-16-2004 07:06 AM
More Samba questions tank728 Linux - Networking 9 04-24-2004 06:31 AM
Samba Questions Flipn Linux - Newbie 1 11-12-2003 11:51 AM
samba questions again jayakrishnan Linux - General 1 03-27-2003 01:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration