*sigh*
It’s been for several weeks that I’ve been trying (and failing) to aquire Domain Admin status on our Samba domain.
With Windows 2000 and XP, administrative access was easy. A local admin account called “administrator”, and a local policy stating who’s an administrator – all peachy.
You can tell I’m not a Windows administrator by job! Obviously domain admins is a far cleaner way to go.
So I dip my toe into Windows 7 on a Samba 3 domain.
It works well. Too well. There’s a small issue with the workstations claiming “there’s no logon servers available to handle the request” for 60+ seconds from a cold-start, but I think that’s solvable (I suspect WINS, NetBIOS or DNS is failing to warm up in a timely manner). The domain admins however eluded me.
“So it’s OK” I think to myself. “Login as the local administrator – set some local policies up. … Oh wait, Windows 7 disabled those because I joined the domain and didn’t first give them passwords. Sheesh! Joining the domain admin group it is then.”
Well I searched the Internet and ripped my hair out. Week after week the issue prevailed. Windows 7 wouldn’t obey the “Domain Admin”. “Elevated access required.”
Finally I trip across this: http://fixunix.com/smb/64004-domain-admin-group-samba-3-a.html
The second guy motions that “Domain Admins” must be group ID 512 (in the Windows mapping) – and blam.
One Samba restart later … all works.
Check the documentation out at http://www.samba.org/samba/docs/man/manpages-3/net.8.html … specifically you’re looking for something like this:
net groupmap add rid=512 unixgroup=MYUNIXGROUPHERE type=domain