服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 使用Samba PDC,域pipe理员在Windows Server 2008上没有pipe理权限
Intereting Posts
MaxClients在Web应用程序服务器上不断超越 奇数mdadm输出:–examine显示arrays状态失败,–detail显示一切干净 将mod改写为lighttpd for lessn url shortener vmrun暂停VMware Player问题 如何检测我的硬盘是否configuration了RAID? 基准Ubuntu gui与命令行 map指令不允许在这里 对接站MAC 用脚本将证书添加到EFS文件夹中的所有文件 如何将IISconfiguration为在移动设备上以适当的大小显示? 将新DLL上传到asp.net BIN文件夹会导致IIS 7使服务不可用 SCP从一个外部服务器到另一个 什么是确保公司范围内维基的最佳途径? 通过vSphere命令行界面组合vMotion和SvMotion SQL Server作业logging和调度

使用Samba PDC,域pipe理员在Windows Server 2008上没有pipe理权限

使用CentOS目录服务器作为后端的域pipe理员的成员在Windows Server 2008中没有pipe理员权限。我已经join域,查看用户已填充,并且可以使用LDAP帐户login。 但是,来自域pipe理员的成员没有pipe理员权限。

我的smb.conf 

[global] workgroup = DOMAIN netbios name = COMPUTERNAME name resolver order = wins lmhosts hosts bcast time server = yes interfaces = lo eth0 192.168.2.0/24 hosts allow = 127. 192.168.0. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 enable privileges = yes security = user passdb backend = ldapsam ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot ldap delete dn = yes ldap suffix = dc=DOMAIN, dc=local ldap user suffix= ou=groups, ou=auto.home ldap machine suffix= ou=Computers, ou=auto.home ldap group suffix = ou=groups, ou=auto.home ldap idmap suffix = ou=idmap, ou=auto.home idmap backend = ldap:ldap://127.0.0.1/ idmap alloc backend = ldap:ldap://127.0.0.1/ ldap ssl = start tls encrypt passwords = true #add machine script = /usr/sbin/useradd -c Computers -s /bin/false %m$ ldap password sync = yes idmap config DOMAIN:range = 800-500000 idmap config DOMAIN:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local idmap config DOMAIN:default = yes idmap config DOMAIN:readonly = no idmap config DOMAIN:backend = ldap idmap alloc config:range = 800-500000 idmap alloc config:ldap_url = ldap://127.0.0.1/ idmap alloc config:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot idmap alloc config:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local logon path = \\%L\profiles\%U logon home = \\%L\%U\profiles #logon drive = H: ldapsam:editposix = yes ldapsam:trusted = yes idmap uid = 800-500000 idmap gid = 800-500000

这是networking组图列表的输出: 

 #net groupmap list Domain Admins (S-1-5-21-2832048597-2870066976-2120398464-512) -> Domain Admins Domain Users (S-1-5-21-2832048597-2870066976-2120398464-513) -> Domain Users Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> Domain Guests Domain Computers (S-1-5-21-2832048597-2870066976-2120398464-515) -> Domain Computers Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> nobody Administrators (S-1-5-21-2832048597-2870066976-2120398464-1007) -> admins Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators

pdbedit以正确的SID显示用户pipe理员(以500结尾)。

我已经使用来自Samba的文档授予Domain Admins组的权利: http : //www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html 。

我还应该做什么?

编辑:Windows中的组。 

 C:\Users\username>whoami DomainName\username C:\Users\username>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ =========== ======================================= Everyone Well-known group S-1-1-0 Mandatory g roup, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory g roup, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory g roup, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory g roup, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory g roup, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory g roup, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory g roup, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory g roup, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory g roup, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory g roup, Enabled by default, Enabled group

编辑2:从Linux的组 

 [username@computername samba]$ id -Gn Domain Users Domain Admins Administrators

Edit3:genent组512 

 [username@computername sambas]# getent group 512 Domain Admins:*:512:username,Administrator,username2