Samba PDC вопрос

[a2a]

Добрый день
собрал домен по мануалу http://klek.blogspot.com/2007/12/samba-domain-controller-server-for.html
вроде все красиво немного заточил под свои нужды, пользователи добавляются, в домен входят, перемещаемые профили работают.
занес пользователя в группу Domain Admins, однако при заходе под ним в домен, происходит шняга допустим ip не поменяешь в свойствах ЛВС, ну и прочие
фишки нельзя использовать, короче как ограниченная запись себя ведет.

Конфиг самбы вот

(Нажмите, чтобы показать/скрыть)

[global]
workgroup = BUES
netbios name = SERVER
server string = %h

passdb backend = tdbsam
security = user
username map = /etc/samba/smbusers
name resolve order = wins bcast hosts
domain logons = yes
preferred master = yes
wins support = yes

# Set CUPS for printing
load printers = yes
printcap name = CUPS
printing = CUPS

# Default logon
logon drive = H:
logon script = logon.bat
logon path = \\server\profile\%U

# Useradd scripts
# add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add user script = /usr/sbin/useradd -m '%u' -g users -G users
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usernod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000
template shell = /bin/bash

# sync smb passwords woth linux passwords
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat debug = yes
unix password sync = yes

# set the loglevel
log level = 3

[public]
browseable = yes
public = yes

[homes]
comment = Home
valid users = %S
read only = no
browsable = no

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
public = no
writable = no
create mode = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
write list = root, @smbadmin

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
admin users = Administrator
valid users = %U
read only = no
guest ok = no
writable = no
share modes = no
browseable = no

[profile]
comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no
guest ok = no

[allusers]
comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

[big]
comment = Fat disk
path = /media/data
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

группы есть
toor@IBM3250:~$ sudo net groupmap list
Domain Admins (S-1-5-21-2937850109-3093511617-1568913739-1002) -> root
Domain Users (S-1-5-21-2937850109-3093511617-1568913739-1003) -> users
Domain Guests (S-1-5-21-2937850109-3093511617-1568913739-1004) -> nogroup

юзер админах
toor@IBM3250:~$ sudo net rpc user info kaa
Enter root's password:
Domain Admins

куда копнуть ?может кто подскажет?

[kobaltd]

А пользователь в "системе" есть?, в группу root включен?

[a2a]

не знаю как посмотреть кроме
cat /etc/groups

root@IBM3250:~# cat /etc/group
root:x:0:root,kaa
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:toor
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:toor
fax:x:21:
voice:x:22:
cdrom:x:24:toor
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:toor
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
klog:x:103:
fuse:x:104:
crontab:x:105:
mlocate:x:106:
ssh:x:107:
sambashare:x:108:toor
winbindd_priv:x:109:
netdev:x:110:
messagebus:x:111:
toor:x:1000:
lpadmin:x:112:toor
admin:x:113:toor
sun-say$:x:1002:
pok-fiz-2$:x:1005:
clamav:x:114:
mtts$:x:1007:
root@IBM3250:~#

[AnrDaemon]

smbldap-userlist

[a2a]

пакет smbldap-tools пришлось доставить ранее не было,

выдает вот что :

toor@IBM3250:~$ smbldap-userlist
Unable to open /etc/opt/IDEALX/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/sbin/smbldap-userlist line 30.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-userlist line 30.
toor@IBM3250:~$

[AnrDaemon]

Настроить забыл.

http://www.rrcomputerconsulting.com/view.php?article_id=3#15