Samba 3, Windows 7 and Domain Admins
It’s been for several weeks that I’ve been trying (and failing) to aquire Domain Admin status on our Samba domain.
With Windows 2000 and XP, administrative access was easy. A local admin account called “administrator”, and a local policy stating who’s an administrator – all peachy.
You can tell I’m not a Windows administrator by job! Obviously domain admins is a far cleaner way to go.
So I dip my toe into Windows 7 on a Samba 3 domain.
It works well. Too well. There’s a small issue with the workstations claiming “there’s no logon servers available to handle the request” for 60+ seconds from a cold-start, but I think that’s solvable (I suspect WINS, NetBIOS or DNS is failing to warm up in a timely manner). The domain admins however eluded me.
“So it’s OK” I think to myself. “Login as the local administrator – set some local policies up. … Oh wait, Windows 7 disabled those because I joined the domain and didn’t first give them passwords. Sheesh! Joining the domain admin group it is then.”
Well I searched the Internet and ripped my hair out. Week after week the issue prevailed. Windows 7 wouldn’t obey the “Domain Admin”. “Elevated access required.”
Finally I trip across this: http://fixunix.com/smb/64004-domain-admin-group-samba-3-a.html
The second guy motions that “Domain Admins” must be group ID 512 (in the Windows mapping) – and blam.
One Samba restart later … all works.
Check the documentation out at http://www.samba.org/samba/docs/man/manpages-3/net.8.html … specifically you’re looking for something like this:
net groupmap add rid=512 unixgroup=MYUNIXGROUPHERE type=domain