Domain Administrators rights not enforced by workstations
- Set NethServer as Windows Domain Controller (PDC)
- Join a workstation with the domain
After the machine join, the
admin user has no administrative privileges on the workstation.
After joining the domain, the
domadmins group members must have administrative privileges on domain workstations.
nethserver-samba-sam-conf: fix unexpected group RIDs. Refs #2733.
domadmins, domusers, domguests are expected to be assigned well-known
RIDs. If a group RID does not match the expectation it is re-mapped.
#1 Updated by Davide Principi over 5 years ago
After #2492 the
domadmins is created with a wrong RID. It must be the well-known RID
512 to work.
If you have installed nethserver-samba 1.4.0, before 2014-02-07 (in other words you had a v6.4-beta2 installation) you may not be affected by this bug. Check if you have the right
domadmins RID with the following command:
# net sam show domadmins XYZ\domadmins is a Domain Group with SID S-1-5-21-[ ... ]-512
Last three numbers must be
Fix the problem¶
A manual fix can be applied:
# net groupmap delete ntgroup=domadmins # net groupmap add rid=512 unixgroup=domadmins type=d ntgroup="Domain Admins" comment="Domain Administrators"
#9 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
- % Done changed from 70 to 90
On existing machine, before update:
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-1003
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-2812897811-3728447170-3509983029-512
On a new machine:
[root@localhost ~]# net sam show domadmins LOCALHOST\domadmins is a Domain Group with SID S-1-5-21-1040656367-3771596389-2987552463-512