Os administradores de domínio não têm direitos administrativos no Windows Server 2008 usando o Samba PDC

2

Os membros do Admin de domínio que usam o CentOS Directory Server como back-end não têm direitos de administrador no Windows Server 2008. Entrei no domínio, vejo que os usuários estão preenchidos e podem fazer login usando contas LDAP. Mas o membro dos administradores de domínio não tem direitos de administrador.

Meu smb.conf

[global]

workgroup = DOMAIN
netbios name = COMPUTERNAME
name resolver order = wins lmhosts hosts bcast
time server = yes
interfaces = lo eth0 192.168.2.0/24 
hosts allow = 127. 192.168.0.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
enable privileges = yes
security = user
passdb backend = ldapsam
ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldap delete dn = yes
ldap suffix = dc=DOMAIN, dc=local
ldap user suffix= ou=groups, ou=auto.home
ldap machine suffix= ou=Computers, ou=auto.home
ldap group suffix = ou=groups, ou=auto.home
ldap idmap suffix = ou=idmap, ou=auto.home
idmap backend = ldap:ldap://127.0.0.1/
idmap alloc backend = ldap:ldap://127.0.0.1/
ldap ssl = start tls
encrypt passwords = true
#add machine script = /usr/sbin/useradd -c Computers -s /bin/false %m$
ldap password sync = yes
idmap config DOMAIN:range = 800-500000
idmap config DOMAIN:ldap_url = ldap://127.0.0.1/
idmap config DOMAIN:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
idmap config DOMAIN:default = yes
idmap config DOMAIN:readonly = no
idmap config DOMAIN:backend = ldap
idmap alloc config:range = 800-500000
idmap alloc config:ldap_url = ldap://127.0.0.1/
idmap alloc config:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap alloc config:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
logon path = \%L\profiles\%U
logon home = \%L\%U\profiles
    #logon drive = H:
ldapsam:editposix = yes
ldapsam:trusted = yes
idmap uid = 800-500000
idmap gid = 800-500000

Esta é a saída da lista net groupmap:

#net groupmap list
   Domain Admins (S-1-5-21-2832048597-2870066976-2120398464-512) -> Domain Admins
   Domain Users (S-1-5-21-2832048597-2870066976-2120398464-513) -> Domain Users
   Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> Domain Guests
   Domain Computers (S-1-5-21-2832048597-2870066976-2120398464-515) -> Domain Computers
   Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> nobody
   Administrators (S-1-5-21-2832048597-2870066976-2120398464-1007) -> admins
   Administrators (S-1-5-32-544) -> Administrators
   Account Operators (S-1-5-32-548) -> Account Operators
   Print Operators (S-1-5-32-550) -> Print Operators
   Backup Operators (S-1-5-32-551) -> Backup Operators
   Replicators (S-1-5-32-552) -> Replicators

O pdbedit mostra o Administrador do usuário com o SID correto (terminando em 500).

Eu concedeu direitos ao grupo Admins. do Domínio usando a documentação do Samba: link .

O que mais devo fazer?

Editar: grupos no Windows.

C:\Users\username>whoami
DomainName\username

C:\Users\username>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes

====================================== ================ ============ ===========
=======================================
Everyone                               Well-known group S-1-1-0      Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory g
roup, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory g
roup, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192  Mandatory g
roup, Enabled by default, Enabled group

Edit2: Grupos do Linux

[username@computername samba]$ id -Gn
Domain Users Domain Admins Administrators 

Edit3: grupo genent 512

[username@computername sambas]# getent group 512
Domain Admins:*:512:username,Administrator,username2
    
por rchhe 15.11.2011 / 16:19

0 respostas