[Samba] No Admin-Rights in SMB-PDC-Domain

Hello,

I've build a domain with Samba 3.0.23 and sucessfully joined this domain
with a Windows-XP-Machine. I can log in to that machine as User "Root",
wich is in the Group "Domain Admins" (rid=512). But I have no
admin-rights on that machine.
Also, normal User can not log in over the Remotesession (RDP).

Can anybody help me to figure out why?

Here is my smb.conf:



[global]
server string = b-login
workgroup = marco
; speed optimierungen
socket options = TCP_NODELAY
share modes = no
debug level = 10
debug uid = yes
getwd cache = yes
; read size = 65536
preserve case = yes
log level = 10

printer admin = ds
domain logons = yes
domain master = yes
local master = Yes
preferred master = Yes
ldap admin dn = cn=Administrator,dc=marco,dc=de
ldap delete dn = No
ldap group suffix = ou=group
ldap ssl = off
ldap suffix = dc=marco,dc=de
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=idmap
; ldap passwd sync = yes
logon path = \\%L\%U\.ntprofile
logon home = \\%L\%U\.ntprofile
logon drive = H:
passdb backend = ldapsam:"ldap://10.3.1.3"
security = user
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
printing = cups
printcap name = cups
printcap cache time = 750
cups options =
smb ports = 139
local master = no
kernel oplocks = No

; ----- same as "umask 2"
create mask = 0775
; ----- disconnect after N minutes inactive
dead time = 300
; ----- check whether clients are alive [seconds]
keep alive = 300
; ----- may delete readonly files
delete readonly = yes
; ----- logfiles grow up to N kByte
; max log size = 100
; ----- don't map archive bit to execute bit
map archive = no
; ----- "umask 2" setting for files and directories
create mask = 0775
directory mask = 0775
; ----- WINS support
; note: on SuSE 8samba is patched so that
; if (wins server == localhost)
; wins support = yes
; preferred master = yes
; os level >= 32
;

wins server = gate

name resolve order = wins host bcast

security = user

netbios aliases = homedirs


Regards

Daniel

--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds RemoveThis @marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Daniel Spannbauer schrieb:
> Hello,
>
> I've build a domain with Samba 3.0.23 and sucessfully joined this domain
> with a Windows-XP-Machine. I can log in to that machine as User "Root",
> wich is in the Group "Domain Admins" (rid=512). But I have no
> admin-rights on that machine.
> Also, normal User can not log in over the Remotesession (RDP).
>
> Can anybody help me to figure out why?
>
> Here is my smb.conf:
>
>
>
> [global]
> server string = b-login
> workgroup = marco
> ; speed optimierungen
> socket options = TCP_NODELAY
> share modes = no
> debug level = 10
> debug uid = yes
> getwd cache = yes
> ; read size = 65536
> preserve case = yes
> log level = 10
>
> printer admin = ds
> domain logons = yes
> domain master = yes
> local master = Yes
> preferred master = Yes
> ldap admin dn = cn=Administrator,dc=marco,dc=de
> ldap delete dn = No
> ldap group suffix = ou=group
> ldap ssl = off
> ldap suffix = dc=marco,dc=de
> ldap user suffix = ou=people
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=idmap
> ; ldap passwd sync = yes
> logon path = \\%L\%U\.ntprofile
> logon home = \\%L\%U\.ntprofile
> logon drive = H:
> passdb backend = ldapsam:"ldap://10.3.1.3"
> security = user
> add machine script = /usr/sbin/useradd -c Machine -d
> /var/lib/nobody -s /bin/false %m$
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options =
> smb ports = 139
> local master = no
> kernel oplocks = No
>
> ; ----- same as "umask 2"
> create mask = 0775
> ; ----- disconnect after N minutes inactive
> dead time = 300
> ; ----- check whether clients are alive [seconds]
> keep alive = 300
> ; ----- may delete readonly files
> delete readonly = yes
> ; ----- logfiles grow up to N kByte
> ; max log size = 100
> ; ----- don't map archive bit to execute bit
> map archive = no
> ; ----- "umask 2" setting for files and directories
> create mask = 0775
> directory mask = 0775
> ; ----- WINS support
> ; note: on SuSE 8samba is patched so that
> ; if (wins server == localhost)
> ; wins support = yes
> ; preferred master = yes
> ; os level >= 32
> ;
>
> wins server = gate
>
> name resolve order = wins host bcast
>
> security = user
>
> netbios aliases = homedirs


Hmmm, when I log in on the Workstation as Administrator (which is mapped
to User root) then I get a Groupsid which ends to 513, so I get as
Administrator the Rights of the normals Domain USer. But in LDAP the
PrimaryGroupSid for root is set to 512 (DomainAdmins).
In the Group-Entry for the Group of the DomainAdmins root is also in
MemberUID.

Can anybody tell me why the PrimaryGropSid isn't used by samba?


Regards

Daniel






>
>
> Regards
>
> Daniel
>

--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds RemoveThis @marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba