Koozali.org: home of the SME Server

win2k/linux group permissions - problem with local admin gro

Patrick

win2k/linux group permissions - problem with local admin gro
« on: December 17, 2001, 08:14:03 PM »
I have a serious problem, my network users are logging into their Win2k systems via my domain logon to the SME server - and they have Administrator rights on the local machines!?!  (gulp)

I have NO idea how this happened.  This server was initially a ESSG 4.1.2 machine, which was upgraded to SME V5.

The server is running as the Domain master, and there are no other 2k/NT servers on the network.  Only Win2k pro workstations connecting to the SME server for domain authentication.


When I try to remove the group (below) in order to remove the users from the local machine Administrator group I get the error below:

This group is listed in Users and in Administrators on the local machine:
THEBRIDGES\unix_group.2147483404

========================================================
Local Users and Groups (Window)

The folowing error occurred while attempting to save properties for group  Administrators on computer BENTCREEK006:

"A member could not be added to or removed from the local group because the  member does not exist."
========================================================

This SME server is running Samba 2.2.2, without any other apparent problem outside if this serious security issue.  I also have setup the "domain admin group = @dom_admins" in the samba.conf file templates.

Has anyone else run into this issue?  Any and all ideas/response are welcome, thanks.

Regards,
Patrick

Ryan Sutton

Re: win2k/linux group permissions - problem with local admin
« Reply #1 on: December 19, 2001, 10:49:28 PM »
I have been playing with samba 2.2.2 at home with a Win2k box.  I realized exactly what you did.  After some time, it is not possible to remove those groups without leaving the domain.  I fixed this by:

-join workgroup
-login in as local admin and clean up all non microsoft groups from all global groups
-rejoin the e-smith domain
-immediately go into user manager and remove the account added to the administrators group.  I would then put the root account from the linux domain in the administrators group so you can "administrate" and use NT admin tools from a remote location (like going into C$).
-The linux/user/group is also put in Power users on a win2k box, which I deleted and added to the regular users group.  

Good Luck

Patrick Basile

Re: win2k/linux group permissions - problem with local admin
« Reply #2 on: January 15, 2002, 06:41:16 PM »
Ryan,

Thanks for your response; however, when I followed your instructions the group 'THEBRIDGES\unix_group.2147483404' still showed up in the local Administrators group AND the local Users group AFTER rejoining the domain!?!?  Any ideas?

Runnning SME V5 and Samba 2.2.2, as I said in the first post.  This was NOT a problem under ESSG 4.1.2 and Samba 2.2.1a - wonder what changed?  I guess this is a Samba problem?

Hope others might have similar stories and solutions, thanks.

Regards,
Patrick