域管理员在使用 Samba PDC 的 Windows Server 2008 上没有管理权限

tag-icon tag-icon ldap samba domain-controller
域管理员在使用 Samba PDC 的 Windows Server 2008 上没有管理权限

使用 CentOS Directory Server 作为后端的域管理员成员在 Windows Server 2008 中没有管理员权限。我已加入域,看到用户已填充,并且可以使用 LDAP 帐户登录。但是,域管理员成员没有管理员权限。

我的 smb.conf

[global]

workgroup = DOMAIN
netbios name = COMPUTERNAME
name resolver order = wins lmhosts hosts bcast
time server = yes
interfaces = lo eth0 192.168.2.0/24 
hosts allow = 127. 192.168.0.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
enable privileges = yes
security = user
passdb backend = ldapsam
ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldap delete dn = yes
ldap suffix = dc=DOMAIN, dc=local
ldap user suffix= ou=groups, ou=auto.home
ldap machine suffix= ou=Computers, ou=auto.home
ldap group suffix = ou=groups, ou=auto.home
ldap idmap suffix = ou=idmap, ou=auto.home
idmap backend = ldap:ldap://127.0.0.1/
idmap alloc backend = ldap:ldap://127.0.0.1/
ldap ssl = start tls
encrypt passwords = true
#add machine script = /usr/sbin/useradd -c Computers -s /bin/false %m$
ldap password sync = yes
idmap config DOMAIN:range = 800-500000
idmap config DOMAIN:ldap_url = ldap://127.0.0.1/
idmap config DOMAIN:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap config DOMAIN:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
idmap config DOMAIN:default = yes
idmap config DOMAIN:readonly = no
idmap config DOMAIN:backend = ldap
idmap alloc config:range = 800-500000
idmap alloc config:ldap_url = ldap://127.0.0.1/
idmap alloc config:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
idmap alloc config:ldap_base_dn = ou=idmap,ou=auto.home, dc=DOMAIN,dc=local
logon path = \\%L\profiles\%U
logon home = \\%L\%U\profiles
    #logon drive = H:
ldapsam:editposix = yes
ldapsam:trusted = yes
idmap uid = 800-500000
idmap gid = 800-500000

这是 net groupmap list 的输出:

#net groupmap list
   Domain Admins (S-1-5-21-2832048597-2870066976-2120398464-512) -> Domain Admins
   Domain Users (S-1-5-21-2832048597-2870066976-2120398464-513) -> Domain Users
   Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> Domain Guests
   Domain Computers (S-1-5-21-2832048597-2870066976-2120398464-515) -> Domain Computers
   Domain Guests (S-1-5-21-2832048597-2870066976-2120398464-514) -> nobody
   Administrators (S-1-5-21-2832048597-2870066976-2120398464-1007) -> admins
   Administrators (S-1-5-32-544) -> Administrators
   Account Operators (S-1-5-32-548) -> Account Operators
   Print Operators (S-1-5-32-550) -> Print Operators
   Backup Operators (S-1-5-32-551) -> Backup Operators
   Replicators (S-1-5-32-552) -> Replicators

pdbedit 显示具有正确 SID(以 500 结尾)的用户管理员。

我已使用 Samba 中的文档向域管理员组授予权限:http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html

我还应该做什么?

编辑:Windows 中的组。

C:\Users\username>whoami
DomainName\username

C:\Users\username>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes

====================================== ================ ============ ===========
=======================================
Everyone                               Well-known group S-1-1-0      Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory g
roup, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory g
roup, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory g
roup, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory g
roup, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192  Mandatory g
roup, Enabled by default, Enabled group

编辑2:来自Linux的群组

[username@computername samba]$ id -Gn
Domain Users Domain Admins Administrators

编辑3:genent group 512

[username@computername sambas]# getent group 512
Domain Admins:*:512:username,Administrator,username2

相关内容