Topic: Samba Questions

[laurie_lewis]

I have not been able to find out how to do the following for my network in any of the posts.

1.  How do I prevent a user from logging onto multiple pc's on the domain at once?

2.  How do I give a user "power-user" rights on the pc they log onto so they can install/update software.  I do not have any users created on my pc's (XP with SP2) and I am just using the users from the domain.

3.  Is there a screen you can install so you can remotely configure the samba settings from server-manager.

Thanks

laurie

[ryan]

Laurie,

I have dealt with both issues you describe.  It has been a while since I did this, so I suggest you do this on a test system as you might break it.

First, to limit logon to specific machines, I created a local group on XP and changed the NTFS permissions to c:\documents and settings directory.  Remove the everyone group and power users group.  Add the local group you created, assign the same permissions used for the power users group you deleted.  Add only the users you wish to allow login to the system to the local group.  If the PCs you do this on are to be used in a workgroup or a MS domain in the future, you will have to restore the original permissions you have changed.

When a user that is not in the local group attempts logon, they will get and error since a profile cant be created for them.  They don't get a MS message stating they don't have logon access.

For your power users, simply add the local group 'authenticated users' to the local 'Power Users' group on the PC.  If the PC is part of an SME domain, anyone that successfully logs on is a power user.  

hope that helps

ryan

[dave_d]

Ryan,

Errr ...  please excuse my ignorance, but where is the group 'authenticated users' to be found?  .. Or do I have to create that group?

Regards,

Dave

[ryan]

Dave,

First, make sure your using the administrative tools, not 'users and passwords' in XP.  To add 'authenticated users' to power users, open the power users group, then add button.  Change the location to the local computer (not SME domain).  Add the group.  Anyone authenticated by either the SME domain controller or the local users will be a power user on this PC.

Hope that helps,

ryan

[dave_d]

Thanks Ryan,

That did the trick!!

Dave

[gzartman]

I have not been able to find out how to do the following for my network in any of the posts.

1.  How do I prevent a user from logging onto multiple pc's on the domain at once?

The short answer is that I really don't think you can.  The whole point of the domain is to have centralized authentication.  AFAIK, there isn't a way to "checkout" your authentication, which is really what you are after.  I believe you can get close to this by using Windows Policies.  However, my guess is that you'll need to specify that the user can logon to only a certain workstation.

2.  How do I give a user "power-user" rights on the pc they log onto so they can install/update software.  I do not have any users created on my pc's (XP with SP2) and I am just using the users from the domain.

If you are running the new Samba 3 packages, you should be able to do this with group mapping.  We've created a new function in the group panel that maps all SME groups to Windows groups.   The mapped windows group being whatever text you type in the description field in the groups panel.  This is quite useful as windows will recognize this mapped group and apply the appropriate rights to that group as specified in the windows authentication rules.

There are several ways to achieve what you are after w/o having to visit every workstation in the domain, using the new group mapping feature.  On my network, I've created and SME group called 'da' with the description 'Domain Admins'.  Whem membes of this group log into a workstation, Windows recognizes this mapped group and gives the user local admin rights.  Very nice!!

An especially useful tool for helping you come up with the right group mapping is a MS app. called whoami.exe.  Runs on both XP and 2000:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/whoami-o.asp

Login on any workstation in the domain and issue the command: "whoami /groups" and you'll get list of all groups that you are a member of, as windows sees things.

3.  Is there a screen you can install so you can remotely configure the samba settings from server-manager.

Yes and no.  The workgroup panel provides a means for configuring Samba, but only those settings that we want you to configure.  Everything else is set for you by SME to insure that your system functions properly.  This layer of abstration is one of the things that makes SME so easy to use.  You don't need to "KNOW" Samba to configure the version of Samba running on SME to function properly.  We've already done that for you.

Good luck.

Greg