[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?

Jeffrey D. Means meaje at meanspc.com
Fri Sep 5 21:24:51 GMT 2003 

Rauno:

This was done as it is no longer needed under Samba3 check out the 'net'
command for real nt style group management.

Jeffrey D. Means
CIO for MeansPC
meaje at meanspc.com

-----Original Message-----
From: samba-bounces+meaje=meanspc.com at lists.samba.org
[mailto:samba-bounces+meaje=meanspc.com at lists.samba.org] On Behalf Of
Rauno Tuul
Sent: Friday, September 05, 2003 2:22 PM
To: 'samba at lists.samba.org'
Subject: [Samba] samba3 - On-the-Fly Machine Accounts - domain admin
group?

Hi,

Could someone explain, why was parameter "domain admin group" removed
from
samba3?
passdb/pdb_ldap got totally rewritten... but why remove an useful
variable...

# Removed Parameters (order alphabetically):
#  * domain admin group
In 2.2.8 (with LDAP backend) I defined 
	domain admin group = @"Domain Admins"
and added several users to that group for creating machine accounts. I
worked and well. Users in that group didn't have root permissions, but
were
able to add new accounts.

But what I do in samba3?

# add machine script - will be run by smbd(8) 
# when a machine is added to it's domain using 
# the administrator username and password method".

I made an custom script, based on idealx useradd script and added some
lines
for working with LAM (http://lam.sf.net).
Problem is, how can this script be used by others, who need to add
machine
accounts...
Am I correct, that samba assumes "administrator username = root" ????

# admin users - list of users who will be granted administrative 
# privileges on the share. This means that they will do all 
# file operations as the super-user (root)".

Defining several people to be "admin users", isn't also the right
solution,
cause they get too high privileges. On shares and file access. I used it
and
managed to add new machine account...  For samba I was "logged in as
admin
user (root privileges)".

# The name of the account that is used to create domain member
# machine accounts can be anything the network administrator 
# may choose. If it is other than root then this is easily 
# mapped to root using the file pointed to be the smb.conf 
# parameter username map = /etc/samba/smbusers."

Doesn't that make exatly the same as listing users as admin users?
Basically
will samba recognize that "anything" as "admin user (root privileges)"
or
not?

Any recommendations? solutions?

Regards,

Rauno Tuul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.514 / Virus Database: 312 - Release Date: 8/28/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.514 / Virus Database: 312 - Release Date: 8/28/2003

More information about the samba mailing list