[Table of Contents] [Previous] [Next]
Sometimes Windows clients will maintain a connection to the [homes] ( or [%U] ) share even after the user has logged out. Consider the following scenario.
However, since the NT box has maintained a connection to [homes] which was perviously set to \\server\user1, when the operating system attempts to get the profile and if it can read users1's profile, will get it otherwise it will return an error. You get the picture.
A better solution is to use a separate [profiles] share and set the "logon path = \\%N\profiles\%U"
The 'domain admin users' is obselete. Please see Q4.3.1
There are several well known RIDs in Windows NT. One of these the the admin RID which is 500. Currently samba supports domain admin users by assigning them the Administrator RID of 500 rather than the way that normal user RID are generated ( by 1000 to the unix uid ). The will change in the future as more is learned about the methods to implement this and as NT groups become supported.
The hard coded RID for domain admins can cause users to share profiles if you are not deleting the cached copy of the of the user profile after the user logs out.
The username <-> RID mapping and some related remote procedure calls are entirely not completed.. If you get this failure, please report it and how to reproduce it to the samba-ntdom@samba.org mailing list.
Some tools will work. For example, the NT Sec tools sold by Pedastal Software work for me. I can successfully include domain users and groups in local file ACLs. These tools also allow you to include users and groups in share permissions as well. However, the Windows Explorer (explorer.exe) does not work. The cacls.exe tool that ships with Windows NT also works?
There can be several reasons for this.
This has changed in the latest version of the HEAD branch. The "domain admin users" and "domain admin group" parameters have gone away. See the smb.conf man page for information on
Here are some sample notes...
To put users in the "Domain Admins" group
domain group map = /usr/local/samba/lib/domaingroup.map
adm="Domain Admins"
To add users to the local Administrator accounts on machines
local group map = /usr/local/samba/lib/localgroup.map
wheel=BUILTIN\Administrators
Now to map NT user accounts to unix accounts
domain user map = /usr/local/samba/lib/domainuser.map
root=Administrator
smbpasswd -a root
and enter a password.
There are two possible reasons for system policies no functioning correctly.
[netlogon] .... locking = no public = no browseable = yes ....
case sensitive = no case preserve = yes default case = yes
Ensure you have the following in smb.conf :
unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *successfull*
The actual value of the second and third line will vary with your system. The passwd
program will be run with root privilege so make sure the text that you supply is correct
for a root operation. The man pages suggest you can use double quotes to 'collect strings
with spaces in them'. Reports from users indicated that this did not work well; examining
the strings being submitted indicated that the program was having trouble parsing the
string so it is better to avoid the spaces and rely on the *.
You do not need to add -DALLOW_CHANGE_PASSWORD to the makefile. Its in an
~/include/includes.h . As mentioned above, the change to the unix password happens as
root, not as the user, as is indicated in ~/smbd/chgpasswd.c If you are using NIS,
the Samba server must be running on the NIS master machine.
[Table of Contents] [Previous] [Next]
This FAQ is maintained by Jerry Carter E-mail comments / suggestions jerry@samba.org
All trademarks are the sole property of their respective owners.