# Samba - PDC/Speed

## Mit

Hi,

This is probably just me missing something obvious or something, but i want to be able to set a roaming profile (on my Samba PDC) to a Admin account. I have the local admins accounts, but i'd like to be able to set another user to an admin, without giving him the local admin password.

I thought setting

domain admin group = root @domainadmin

in the smb.conf and a group with the members names in /etc/group would do it... but it doesn't seem to...

Can anyone offer me some help?  :Smile: Last edited by Mit on Fri Jul 18, 2003 7:10 am; edited 1 time in total

----------

## chris4linux

if you have restarted the samba server, it should works...in my oschool I set up a samba pdc with the option domain admins = ... and it works quiet good, if users are not in the group, they get the "normal rights", if a user ist in the group (e.g. domainadmins) they have administrator rights on the win2k box...

- Chris

PS have you added the userer with smbuser -a <username> ? (and set a passwd?)

----------

## Mit

hrm, odd, yes, i have restarted samba (even restarted the box, cos i pulled out the wrong plug  :Rolling Eyes: )

All users are added and work fine, its just a bit annoying, the 'root' user doesn't have admin, nor does the other I want to.

I'll check the settings again... but as far as i spotted, i couldn't see anything wrong.

----------

## chris4linux

could you post the [global] part of your config?

which version of samba do you use?

- Chris

----------

## Mit

Will do when i get home, at work at the moment, tried with 2.2.8a and 3.0.? - Can't just remember what is off hand - whatever the latest was in Portage 3 days ago (tried the new version to see if it fixed the problem)

----------

## Mit

```

[global]

   workgroup = HOME

   server string = Linux Server

 

   log file = /var/log/samba/log.%m

   max log size = 100

   hosts allow = 192.168.0. 127.

   security = user

  encrypt passwords = yes

  smb passwd file = /etc/samba/private/smbpasswd

  unix password sync = Yes

  passwd program = /usr/bin/passwd %u

  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n

  *passwd:*all*authentication*tokens*updated*successfully*

  username map = /etc/samba/smbusers

  winbind uid = 10000-20000

  winbind gid = 10000-20000

  template homedir = /home/%U

  template shell = /bin/bash

  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

  read raw = no

  interfaces = eth0 lo 192.168.0.1/24

  bind interfaces only = yes

  os level = 2

  domain master = yes

  preferred master = yes

  domain logons = yes

  logon script = login.bat

  logon path = \\%L\%U\profile\

  logon drive u:

  logon home = \\%L\%U\

  hide dot files = yes

  domain admin group = root @domainadmin

  domain guest group = nobody @guest

  name resolve order = wins lmhosts bcast

  wins support = yes

```

My Global.

----------

## bashir

Hi!

IMHO you have to set

```
admin users = @domainadmin
```

bashir

----------

## Mit

 *bashir wrote:*   

> Hi!
> 
> IMHO you have to set
> 
> ```
> ...

 

just tried that, it didn't seem to fix it  :Sad: 

----------

## Mit

```

[2003/07/14 23:48:18, 0] smbd/server.c:main(747)

  smbd version 3.0.0beta3 started.

  Copyright Andrew Tridgell and the Samba Team 1992-2003

[2003/07/14 23:48:18, 1] param/params.c:Parameter(368)

  params.c:Parameter() - Ignoring badly formed line in configuration file: *passwd:*all*authentication*tokens*updated*successfully*

[2003/07/14 23:48:18, 1] param/loadparm.c:lp_do_parameter(3102)

  WARNING: The "winbind uid" option is deprecated

[2003/07/14 23:48:18, 1] param/loadparm.c:lp_do_parameter(3102)

  WARNING: The "winbind gid" option is deprecated

[2003/07/14 23:48:18, 1] param/params.c:Parameter(368)

  params.c:Parameter() - Ignoring badly formed line in configuration file: logon drive u:

[2003/07/14 23:48:18, 0] param/loadparm.c:map_parameter(2376)

  Unknown parameter encountered: "domain admin group"

[2003/07/14 23:48:18, 0] param/loadparm.c:lp_do_parameter(3096)

  Ignoring unknown parameter "domain admin group"

[2003/07/14 23:48:18, 0] param/loadparm.c:map_parameter(2376)

  Unknown parameter encountered: "domain guest group"

[2003/07/14 23:48:18, 0] param/loadparm.c:lp_do_parameter(3096)

  Ignoring unknown parameter "domain guest group"

[2003/07/14 23:48:18, 0] param/loadparm.c:service_ok(2554)

  No path in service ipc$ - using /tmp

[2003/07/14 23:48:18, 0] smbd/server.c:main(781)

  standard input is not a socket, assuming -D option

```

just looked in the logs... that could be why.

----------

## bashir

Okay, let's figure out what's going wrong..   :Cool: 

```
[2003/07/14 23:48:18, 1] param/params.c:Parameter(368)

  params.c:Parameter() - Ignoring badly formed line in configuration file: *passwd:*all*authentication*tokens*updated*successfully*
```

To correct this, you have to change in your [global] section

```
passwd chat = *Old*UNIX*password* %o *New*UNIX*password* %n *ReType*new*UNIX*password* %n *all*authentication*tokens*updated*successfully*
```

Type it in _one_ line! (IMO the old password is required to close a big security hole...)

```
2003/07/14 23:48:18, 1] param/loadparm.c:lp_do_parameter(3102)

  WARNING: The "winbind uid" option is deprecated

[2003/07/14 23:48:18, 1] param/loadparm.c:lp_do_parameter(3102)

  WARNING: The "winbind gid" option is deprecated
```

The "windbind uid & gid" could not have ID's used in your in /etc/passwd, NIS, etc.

```
[2003/07/14 23:48:18, 1] param/params.c:Parameter(368)

  params.c:Parameter() - Ignoring badly formed line in configuration file: logon drive u: 
```

Change "logon drive u:" in  

```
logon drive = "u:"
```

```
[2003/07/14 23:48:18, 0] param/loadparm.c:map_parameter(2376)

  Unknown parameter encountered: "domain admin group"

[2003/07/14 23:48:18, 0] param/loadparm.c:lp_do_parameter(3096)

  Ignoring unknown parameter "domain admin group"

[2003/07/14 23:48:18, 0] param/loadparm.c:map_parameter(2376)

  Unknown parameter encountered: "domain guest group"

[2003/07/14 23:48:18, 0] param/loadparm.c:lp_do_parameter(3096)

  Ignoring unknown parameter "domain guest group" 
```

Your samba doesn't know these parameters!

Try instead:

```
admin users = @domainadmin

guest ok = yes

guest account = @guest

```

Add user root in your smbpasswd, restart your samba and try it again...

EDIT:

If it does not work, please post your required options (Winbind, DomainClient, etc.) and I will try to help (if I can)

bashir

----------

## Mit

Tnx for the suggestions, much appriciated. will try them in about 45 mins (still at work, again). I'm learning linux slowly, getting the hang of most things  :Smile:  and actually enjoying it. Out with Windows, in with Linux  :Wink: 

----------

## Mit

hrm, tried that, no more errors now in the log... but it STILL doesn't let the other account be an admin (something broke on Win2k?)

All i want is for certain members of the Domain, to be able to Admin computers... even the root username (on Samba) which is craeted, needed it to get PCs to join the domain, cannot admin the domain. this is rather bizaar :/

admin users = root @domainadmin

domain admin is defined in my /etc/group file, and contains currently 2 users.

BUT

[2003/07/15 17:02:51, 0] smbd/service.c:make_connection(381)

  make_connection: tim logged in as admin user (root privileges)

in the PC specific log.... Any reason why windows shouldn't see me as an admin?

----------

## bashir

Sorry!

It was a misunderstanding....

You need a Domain Control for users in domainadmin.

```
admin users =
```

gives root rights for the shares   :Rolling Eyes: 

Okay, try instead for Samba <3:

```
 domain groups = domainadmin,root

domain admin group = domainadmin

domain admin users = root
```

And for Samba >=3:

Remove

```
admin users =
```

List all the mapped groups by running: 

```
smbgroupedit -v
```

You will get a list looking like the one below.

```
NT group (SID) -> Unix group

System Operators (S-1-5-32-549) -> -1

Replicators (S-1-5-32-552) -> -1

Guests (S-1-5-32-546) -> -1

Power Users (S-1-5-32-547) -> -1

Print Operators (S-1-5-32-550) -> -1

Administrators (S-1-5-32-544) -> -1

Account Operators (S-1-5-32-548) -> -1

Backup Operators (S-1-5-32-551) -> -1

Users (S-1-5-32-545) -> -1

Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1

Domain Guests (S-1-5-21-1108995562-3116817432-1375597819-514) -> -1

Domain Users (S-1-5-21-1108995562-3116817432-1375597819-513) -> -1
```

Map the unix domainadmin group to the NT 'Domain Admins' group, by running the

command:

```
smbgroupedit -c S-1-5-21-1108995562-3116817432-1375597819-512 -u domainadmin
```

Do not copy and paste this sample, the Domain Admins SID (the

S-1-5-21-...-512) is different for every PDC. 

EDIT:

The option domain admin group/users have been removed in Samba 3.0, it didn't scale very well.

And change

```
security = server

os level = 65

```

bashirLast edited by bashir on Wed Jul 16, 2003 7:38 am; edited 1 time in total

----------

## Mit

security = server - but i don't have another server to validate against, the linux samba machine _IS_ the server.

its not saying 

make_connection: tim logged in as admin user (root privileges) 

in the logs now either, will have a fiddle later. gtg to work  :Sad: 

----------

## bashir

Hi Mit!

I've edit my post above!

You are using Samba 3.0, right?

Okay, do not change the security option, this is useless for you.  :Embarassed: 

bashir

----------

## Mit

Yes, I'm using Samba 3 atm. Can use 2.2.8a if its easier to do with that... i just tried 3 cos i couldn't get it all working with 2.2.8a. Will test that at lunch, can't access my box atm, damn firewall at work.

----------

## bashir

Hi Mit!

Just use Samba 3!

Try what I've posted above. It should function   :Laughing: 

bashir

----------

## Mit

smbbgroupedit doesn't exist, it in another package or something?

otherwise, i'm not sure if its working... its now moaning about not being able to copy profiles (only part of thou...) [edit] fixed that now, recreated the profile and it works.... [/edit]

----------

## bashir

About smbgroupedit

I've emerged samba 3. And you're right:

smbgroupedit is missing.  :Confused: 

I've recompiled it with all additional USE_FLAG's, but it still won't be created.  :Shocked: 

But in the ebuild file smbgroupedit is listed in the section Install standard binary files, perhaps a bug?

bashir

----------

## Mit

oh, its not listed at all in this ebuild /usr/portage/net-fs/samba/samba-3.0.0_beta2-r1.ebuild at all...

or the beta1-r1 one for that matter...

So, without that, i can't set up the groups correctly?

----------

## bashir

Sometimes it is better to get some sleep before hacking commands on my keyboard...

I've looked in samba-3.0_alpha22.ebuild, but emerged samba-3.0.0_beta1-r1.ebuild (damn wildcards) .  :Rolling Eyes: 

In the alpha version smbgroupedit is included. I don't know, why it has been removed....

I have no idea, if it's possible to change the group-members in Samba 3x without smbgroupedit. On the most Computers I use 2.2.8 and one with Samba 3 to test, but it is (still) Debian based.

bashir

----------

## Mit

When i get back home, i'll try the suggestions for samba 2.2.8a and see if that works instead...

Wonder why smbgroupedit was removed... i don't have the alpha ebuilds in my tree. Could try getting one later if u think thats the best option

Thanks for the help anyway, much appriciated  :Smile: 

----------

## bashir

IMHO 2.2.8 is at the moment the best choice (for little networksand if you are not missing anything there).   :Laughing: 

bashir

----------

## Mit

Finally... got it working under 2.2.8a

Thanks again for all your help Bashir. Much appriciated.

----------

## bashir

Nice to hear, Mit!

There is only one way the Community could exist!   :Wink: 

bashir

----------

## Mit

Only one more slight problem... it doesn't like sending large files fast  :Sad:  thus isn't working terribly well as a media server.

It can't cope sending out 128KB/s MP3s to one machine on the network. No high CPU, disk is running in DMA mode 4. Any ideas?

----------

## bashir

Now it is getting a little bit offtopic - perhaps you could change the title in something like Samba as PDC/speed problem or whatever you like..  :Cool: 

There are many sources which could cause similar problems.

Some first suggestions:

Do you have hdparm configured to increase the speed of your disk(s)?

You have set socket options. Have a look.

Have you tested the speed with other protocols (ftp, etc.)?

bashir

----------

## schism39401

Mit, I am having similar problem to yours.. Would you mind posting your smb.conf.

----------

## Mit

 *bashir wrote:*   

> Now it is getting a little bit offtopic - perhaps you could change the title in something like Samba as PDC/speed problem or whatever you like.. 
> 
> There are many sources which could cause similar problems.
> 
> Some first suggestions:
> ...

 

hdparm set to run in ATA66 mode afaik. Not sure aobut other optimisations... its default i think.

Tested http/ftp - they work up to about 600KB/s (i blame the crappy on board lan for the lack of that extra bit of speed)

tried a few things, setting 'read raw' to on seemed to help, i can now stream MP3s (assuming CPU is low usage on teh server) but i can't at all stream movies from it. Part of the use of the box, was a bit of a media server for the house.

----------

## Mit

 *schism39401 wrote:*   

> Mit, I am having similar problem to yours.. Would you mind posting your smb.conf.

 

sure

```

#======================= Global Settings =====================================

[global]

workgroup = HOME

server string = Linux Server

log file = /var/log/samba/log.%m

max log size = 100

hosts allow = 192.168.0. 127.

security = user

encrypt passwords = yes

smb passwd file = /etc/samba/private/smbpasswd

unix password sync = Yes

smb passwd file = /etc/samba/private/smbpasswd

unix password sync = Yes

passwd program = /usr/bin/passwd %u

passwd chat = *Old*UNIX*password* %o *New*UNIX*password* %n *ReType*new*UNIX*pa$

username map = /etc/samba/smbusers

read raw = no

interfaces = eth0 lo 192.168.0.1/24

bind interfaces only = yes

local master = yes

os level = 65

domain master = yes

preferred master = yes

domain logons = yes

logon script = login.bat

logon path = \\%L\%U\profile\

logon drive = u:

logon home = \\%L\%U\

hide dot files = yes

domain groups = @domainadmin,root

domain admin group = @domainadmin

domain admin users = root

name resolve order = wins lmhosts bcast

dns proxy = no

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

   create mode = 0600

   directory mode = 0700

[netlogon]

   comment = Network Logon Service

   path = /etc/samba/netlogin

   writeable = no

[Profiles]

    create mode = 0600

    csc policy = disable

    directory mode = 0700

    profile acls = yes

    read only = no

    path = /home/%U/profile

    browseable = no

    guest ok = yes

    writeable = yes

```

Thats the global bit and the 3 useful shares. Roaming profiles now works, and it saves the profile in the users /home folder.

----------

