Samba Domain and Standard Users -- Solved
Craig White
craig at tobyhouse.com
Wed Jan 10 15:37:31 MST 2007
On Wed, 2007-01-10 at 11:26 -0700, Nathan Aubrey wrote:
> On Wednesday 10 January 2007 08:52, Nathan Aubrey wrote:
> > I have a domain setup using samba and ldap. Everything works great, except
> > for some permissions for users. When a non-admin user logs in he is not
> > allowed to set a default mail or web browser, or any default app, and
> > cannot even create shortcuts on the desktop from the start menu.
> > Obviously I have missed something somewhere, but I cannot figure out what.
> > Do I need to give each user local power user priveleges? This totally
> > defeats the purpose of using any kind of domain control!
> >
> > Any comments?
> >
> > nathan
>
> Power Users is a local group, and cannot be done over a domain controller.
> I found an article that explains what you must do, and it is as I feared! You
> have to add every user to the group. What this article suggests is adding the
> domain users group to the local power users group, that way anyone who is
> part of the domain users would be given power users.
> There are some people I can think of that I don't want power users, so his
> machine will not get this wonderful change, but it must be made to each users
> pc.
>
> http://lists.samba.org/archive/samba/2003-July/071048.html
>
> If you know a better solution, please let me know.
----
If you have properly configured samba and LDAP and have a system where
the Windows NT/2K/XP system is joined to the samba/LDAP domain, then
each 'user' should probably have a sambaPrimaryGroupSID =
XXXXXXX-XXXXXX-XXXXX-513 as the 513 is the RID for the commonly known
'Domain Users' group and the XXXXXX-XXXXX, etc would necessarily have to
match the Samba SID identified on your samba server and as the
SambaDomain in LDAP
If you actually want us to help you here...what is the output of
(command line as root on your Linux system)
net getlocalsid
net groupmap list
ldapsearch -x -h localhost \
-D 'your rootbinddn_or_sufficiently_privileged_account' \
-W '(ou=sambadomain)'
and one of the typical users experiencing a problem...
pdbedit -Lv USER_WITH_PROBLEM
though you can always add any domain user/group to any 'local' account
on any computer attached to the domain...as you have experienced, it's
rather manual and inefficient.
samba has excellent documentation at http://www.samba.org/samba/docs/
and I would heavily recommend reading through some of the examples in
'Samba by Example'
Craig
More information about the PLUG-discuss
mailing list