Samba 3, Windows 7 and Domain Admins

*sigh*

It’s been for several weeks that I’ve been trying (and failing) to aquire Domain Admin status on our Samba domain.

With Windows 2000 and XP, administrative access was easy.  A local admin account called “administrator”, and a local policy stating who’s an administrator – all peachy.

You can tell I’m not a Windows administrator by job!  Obviously domain admins is a far cleaner way to go.

So I dip my toe into Windows 7 on a Samba 3 domain.

It works well.  Too well.  There’s a small issue with the workstations claiming “there’s no logon servers available to handle the request” for 60+ seconds from a cold-start, but I think that’s solvable (I suspect WINS, NetBIOS or DNS is failing to warm up in a timely manner).  The domain admins however eluded me.

“So it’s OK” I think to myself.  “Login as the local administrator – set some local policies up.  …  Oh wait, Windows 7 disabled those because I joined the domain and didn’t first give them passwords.  Sheesh!  Joining the domain admin group it is then.”

Well I searched the Internet and ripped my hair out.  Week after week the issue prevailed.  Windows 7 wouldn’t obey the “Domain Admin”.  “Elevated access required.”

Finally I trip across this: http://fixunix.com/smb/64004-domain-admin-group-samba-3-a.html

The second guy motions that “Domain Admins” must be group ID 512 (in the Windows mapping) – and blam.

One Samba restart later … all works.

Check the documentation out at http://www.samba.org/samba/docs/man/manpages-3/net.8.html … specifically you’re looking for something like this:

net groupmap add rid=512 unixgroup=MYUNIXGROUPHERE type=domain

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.