Os membros do Admin de domínio que usam o CentOS Directory Server como back-end não têm direitos de administrador no Windows Server 2008. Entrei no domínio, vejo que os usuários estão preenchidos e podem fazer login usando contas LDAP. Mas o membro dos administradores de domínio não tem direitos de administrador.
Meu smb.conf
[global]
workgroup = DOMAIN
netbios name = COMPUTERNAME
name resolver order = wins lmhosts hosts bcast
time server = yes
interfaces = lo eth0 192.168.2.0/24
hosts allow = 127. 192.168.0.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
enable privileges = yes
security = user
passdb backend = ldapsam
ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldap delete dn = yes
ldap suffix = dc=DOMAIN, dc=local
ldap user suffix= ou=groups, ou=auto.home
ldap machine suffix= ou=Computers, ou=auto.home
ldap group suffix = ou=groups, ou=auto.home
ldap idmap suffix = ou=idmap, ou=auto.home
idmap backend = ldap:ldap://127.0.0.1/
idmap alloc backend = ldap:ldap://127.0.0.1/
ldap ssl = start tls
encrypt passwords = true
#add machine script = /usr/sbin/useradd -c Computers -s /bin/false %m$
ldap password sync = yes
idmap config DOMAIN:range = 800-500000
idmap config DOMAIN:ldap_url = ldap://127.0.0.1/
idmap config DOMAIN:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
idmap config DOMAIN:default = yes
idmap config DOMAIN:readonly = no
idmap config DOMAIN:backend = ldap
idmap alloc config:range = 800-500000
idmap alloc config:ldap_url = ldap://127.0.0.1/
idmap alloc config:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap alloc config:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
logon path = \%L\profiles\%U
logon home = \%L\%U\profiles
#logon drive = H:
ldapsam:editposix = yes
ldapsam:trusted = yes
idmap uid = 800-500000
idmap gid = 800-500000
Esta é a saída da lista net groupmap:
#net groupmap list
Domain Admins (S-1-5-21-2832048597-2870066976-2120398464-512) -> Domain Admins
Domain Users (S-1-5-21-2832048597-2870066976-2120398464-513) -> Domain Users
Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> Domain Guests
Domain Computers (S-1-5-21-2832048597-2870066976-2120398464-515) -> Domain Computers
Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> nobody
Administrators (S-1-5-21-2832048597-2870066976-2120398464-1007) -> admins
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
O pdbedit mostra o Administrador do usuário com o SID correto (terminando em 500).
Eu concedeu direitos ao grupo Admins. do Domínio usando a documentação do Samba: link .
O que mais devo fazer?
Editar: grupos no Windows.
C:\Users\username>whoami
DomainName\username
C:\Users\username>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ===========
=======================================
Everyone Well-known group S-1-1-0 Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory g
roup, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory g
roup, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory g
roup, Enabled by default, Enabled group
Edit2: Grupos do Linux
[username@computername samba]$ id -Gn
Domain Users Domain Admins Administrators
Edit3: grupo genent 512
[username@computername sambas]# getent group 512
Domain Admins:*:512:username,Administrator,username2
Tags samba ldap domain-controller