samba group rights problem (Domain Admins not working)

> Hi list,
>
> after upgrading our ldap server, the Domain Admins group doesn't work
> anymore.
>
> Members of the domain admins group don't have any special rights on the
> workstations (for example, they cannot even change the date of a machine in
> the
> domain anymore).
>
> When I lookup the group members I get:
>
> root@hermes:/etc/samba# net rpc group members 'Domain Admins'
> Password:
> HIVOS.NL\root
> HIVOS.NL\foctaaf
> HIVOS.NL\lhilarides
> HIVOS.NL\administrator
> HIVOS.NL\executor
> HIVOS.NL\fbodijn
> HIVOS.NL\psomer
> HIVOS.NL\jvriesman
>
> And the rights of the group:
> root@hermes:/etc/samba# net rpc rights list 'Domain Admins'
> Password:
> SeMachineAccountPrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
> That seems ok, but when I lookup the rights of a member of the Domain
> Admins
> group:
>
> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman'
> Password:
> SeAddUsersPrivilege
>
> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\psomer'
> Password:
> <nothing here>
>
> Any idea why members of the Domain Admin group do not get the rights of the
> group?
>
> cheers,
> Jeroen.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

> Thanks for the reply,
>
> I did check that, I should have posted that in the original mail.
>
> The group ends with -512, and, has gid 512, my 'administrator' account is
> called root, but this is about the members of the 'Domain Admins" group, the
> group maps to 'Domain Admins' (I use pam/nssldap config, where 'getent
> group' shows all the ldap groups as local groups, so the map is ok by
> default).
>
> Before the ldap upgrade it worked, and the ldap data is exactly the same.
>
> So I'm a bit lost, I do have the schema with sambaSID SUB and a sub index
> on sambaSID, the schema's are also the same as in the old situation.
>
> cheers,
> Jeroen.
>
>
>
> On Tue, Jul 22, 2008 at 8:02 PM, kissg <mail.gery@...> wrote:
>
>> Check the GID of your Domain Admins group. It should end with "512" and
>> should be mapped to a UNIX group which have a GID of the same value. If it's
>> anything else, that can be a reason why your admin users actually don't have
>> administrator rights on the client machines.
>>
>> Run the following command to see how your group mappings look like:
>>
>> net groupmap list
>>
>> You should see the number 512 at the end of the Domain Admins SID.
>>
>> After you have verified, that your Domain Admins group has the appropriate
>> SID, check the UID and GID of an administrative user, for example:
>>
>> id administrator
>>
>> You should see "gid=512" in the output of the command.
>>
>> Regards
>> Gergely Kiss
>>
>> 2008/7/22 Jeroen Vriesman <linuxificator@...>:
>>
>>> Hi list,
>>>
>>> after upgrading our ldap server, the Domain Admins group doesn't work
>>> anymore.
>>>
>>> Members of the domain admins group don't have any special rights on the
>>> workstations (for example, they cannot even change the date of a machine
>>> in
>>> the
>>> domain anymore).
>>>
>>> When I lookup the group members I get:
>>>
>>> root@hermes:/etc/samba# net rpc group members 'Domain Admins'
>>> Password:
>>> HIVOS.NL\root
>>> HIVOS.NL\foctaaf
>>> HIVOS.NL\lhilarides
>>> HIVOS.NL\administrator
>>> HIVOS.NL\executor
>>> HIVOS.NL\fbodijn
>>> HIVOS.NL\psomer
>>> HIVOS.NL\jvriesman
>>>
>>> And the rights of the group:
>>> root@hermes:/etc/samba# net rpc rights list 'Domain Admins'
>>> Password:
>>> SeMachineAccountPrivilege
>>> SeRemoteShutdownPrivilege
>>> SePrintOperatorPrivilege
>>> SeAddUsersPrivilege
>>> SeDiskOperatorPrivilege
>>>
>>> That seems ok, but when I lookup the rights of a member of the Domain
>>> Admins
>>> group:
>>>
>>> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman'
>>> Password:
>>> SeAddUsersPrivilege
>>>
>>> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\psomer'
>>> Password:
>>> <nothing here>
>>>
>>> Any idea why members of the Domain Admin group do not get the rights of
>>> the
>>> group?
>>>
>>> cheers,
>>> Jeroen.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>

> Thanks for the reply,
>
> I did check that, I should have posted that in the original mail.
>
> The group ends with -512, and, has gid 512, my 'administrator' account is
> called root, but this is about the members of the 'Domain Admins" group, the
> group maps to 'Domain Admins' (I use pam/nssldap config, where 'getent
> group' shows all the ldap groups as local groups, so the map is ok by
> default).
>
> Before the ldap upgrade it worked, and the ldap data is exactly the same.
>
> So I'm a bit lost, I do have the schema with sambaSID SUB and a sub index
> on sambaSID, the schema's are also the same as in the old situation.
>
> cheers,
> Jeroen.
>
>
>
> On Tue, Jul 22, 2008 at 8:02 PM, kissg <mail.gery@...> wrote:
>
>> Check the GID of your Domain Admins group. It should end with "512" and
>> should be mapped to a UNIX group which have a GID of the same value. If it's
>> anything else, that can be a reason why your admin users actually don't have
>> administrator rights on the client machines.
>>
>> Run the following command to see how your group mappings look like:
>>
>> net groupmap list
>>
>> You should see the number 512 at the end of the Domain Admins SID.
>>
>> After you have verified, that your Domain Admins group has the appropriate
>> SID, check the UID and GID of an administrative user, for example:
>>
>> id administrator
>>
>> You should see "gid=512" in the output of the command.
>>
>> Regards
>> Gergely Kiss
>>
>> 2008/7/22 Jeroen Vriesman <linuxificator@...>:
>>
>>> Hi list,
>>>
>>> after upgrading our ldap server, the Domain Admins group doesn't work
>>> anymore.
>>>
>>> Members of the domain admins group don't have any special rights on the
>>> workstations (for example, they cannot even change the date of a machine
>>> in
>>> the
>>> domain anymore).
>>>
>>> When I lookup the group members I get:
>>>
>>> root@hermes:/etc/samba# net rpc group members 'Domain Admins'
>>> Password:
>>> HIVOS.NL\root
>>> HIVOS.NL\foctaaf
>>> HIVOS.NL\lhilarides
>>> HIVOS.NL\administrator
>>> HIVOS.NL\executor
>>> HIVOS.NL\fbodijn
>>> HIVOS.NL\psomer
>>> HIVOS.NL\jvriesman
>>>
>>> And the rights of the group:
>>> root@hermes:/etc/samba# net rpc rights list 'Domain Admins'
>>> Password:
>>> SeMachineAccountPrivilege
>>> SeRemoteShutdownPrivilege
>>> SePrintOperatorPrivilege
>>> SeAddUsersPrivilege
>>> SeDiskOperatorPrivilege
>>>
>>> That seems ok, but when I lookup the rights of a member of the Domain
>>> Admins
>>> group:
>>>
>>> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\jvriesman'
>>> Password:
>>> SeAddUsersPrivilege
>>>
>>> root@hermes:/etc/samba# net rpc rights list 'HIVOS.NL\psomer'
>>> Password:
>>> <nothing here>
>>>
>>> Any idea why members of the Domain Admin group do not get the rights of
>>> the
>>> group?
>>>
>>> cheers,
>>> Jeroen.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>

> Hi list,
>
> after upgrading our ldap server, the Domain Admins group doesn't work
> anymore.
>
> Members of the domain admins group don't have any special rights on the
> workstations (for example, they cannot even change the date of a machine in
> the
> domain anymore).
>
> When I lookup the group members I get:
>
> root@hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc group members 'Domain Admins'
> Password:
> HIVOS.NL\root
> HIVOS.NL\foctaaf
> HIVOS.NL\lhilarides
> HIVOS.NL\administrator
> HIVOS.NL\executor
> HIVOS.NL\fbodijn
> HIVOS.NL\psomer
> HIVOS.NL\jvriesman
>
> And the rights of the group:
> root@hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'Domain Admins'
> Password:
> SeMachineAccountPrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
> That seems ok, but when I lookup the rights of a member of the Domain Admins
> group:
>
> root@hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'HIVOS.NL\jvriesman'
> Password:
> SeAddUsersPrivilege
>
> root@hermes<javascript:open_compose_win('to=root%40hermes&thismailbox=INBOX.Sent');>:/etc/samba#
> net rpc rights list 'HIVOS.NL\psomer'
> Password:
> <nothing here>
>
> Any idea why members of the Domain Admin group do not get the rights of the
> group?
>
> cheers,
> Jeroen.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

> Hello Jeroen,
>
>
> I just had the same problem you described. The cause of it was, that
> the LDAP configuration on my new os (Ubuntu 8.04) included an option
> to ignore the root user from LDAP:
>
> nss_initgroups_ignoreusers
>
> backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,mysql,news,openldap,proxy,sshd,statd,sync,sys,syslog,uucp,www-data
>
> in /etc/ldap.conf. I can't remember if it was the stock config file or
> if I added it following some howto. However the root user on the
> server side was not a member of the 'Domain Admins' group because the
> data came from /etc/passwd. I removed root from the ignore list and it
> worked.
>
> Just check on your PDC, if the root user is really a member of the
> 'Domain Admins' group with 'id root' - if not - there's your problem.
>
>
> Kind regards,
>
> -sd
>
>

> Thanks Stefan, this fix my problem which was described here
> http://article.gmane.org/gmane.network.samba.general/99631 and here
> http://article.gmane.org/gmane.network.samba.general/99649 too.
>
> On Thu, Jul 24, 2008 at 1:27 PM, Stefan Dengscherz <
> stefan.dengscherz@...> wrote:
>
> > Hello Jeroen,
> >
> >
> > I just had the same problem you described. The cause of it was, that
> > the LDAP configuration on my new os (Ubuntu 8.04) included an option
> > to ignore the root user from LDAP:
> >
> > nss_initgroups_ignoreusers
> >
> >
> backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,mysql,news,openldap,proxy,sshd,statd,sync,sys,syslog,uucp,www-data
> >
> > in /etc/ldap.conf. I can't remember if it was the stock config file or
> > if I added it following some howto. However the root user on the
> > server side was not a member of the 'Domain Admins' group because the
> > data came from /etc/passwd. I removed root from the ignore list and it
> > worked.
> >
> > Just check on your PDC, if the root user is really a member of the
> > 'Domain Admins' group with 'id root' - if not - there's your problem.
> >
> >
> > Kind regards,
> >
> > -sd
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>