[Samba] Documentation bug? domadm privileges
John H Terpstra
jht at samba.org
Mon Feb 16 15:54:52 GMT 2004
Karel,
Thanks for your feedback. I will certainly take this into account when I
get time to update the HOWTO documentation.
Cheers,
John T.
On Mon, 16 Feb 2004, Karel Kulhavy wrote:
> Hello
>
> I have been solving a problem how to make a nonroot user able to administer
> the domain (add users, groups, modify them etc.) from Windows workstation
> using usrmgr.exe
>
> It looks like what is stated in Samba HOWTO collection as prerequisites
> is not enough.
>
> First I found Chapter 12 cxl "How to make Samba PDC users member of the Domain
> Admins group" - made the nonroot user member of domadm group, added domadm
> unix group and groupmapped Domain Admins NT group to domadm UNIX group.
>
> This didn't work. I suggest changing "steps describe how to make Samba PDC
> users members of the Domain Admins" to "steps describe how to make Samba
> PDC users members of the Domain Admins (note that this won't assure same
> functionality as being a Domain Admin on an NT4 PDC, for further details,
> see 12.2.1 Important Administrative Information (page cxli) (why the heck
> was the numbering changed from Arabic to Roman numerals?)".
>
> Then I searched further for the term 'Admins' in the Samba HOWTO Collection pdf
> and found 12.2.1 Important Administrative Information. It states among others:
> "[...]adding users or groups, requires root level privilege.[...]Provision
> of root privileges can be done [...] by permitting [...] users to use a UNIX
> account that is a member of the UNIX group that has a GID=0 as the primary group in
> the /etc/passwd database".
>
> So I made the non-root user's primary group root (GID=0) and it still didn't
> work. I tried to restart samba. Still didn't work. Logout user from Windows
> and login back. Still didn't work. Restart samba again. Still didn't work.
>
> -> Is there a place in the HOWTO that describes how to determine what sequence
> of reboots, logouts, domain removal and reattachments and Samba restarts
> is necessary to assure integrity of any given operation when dealing with Samba?
>
> Then I discovered another place in Samba HOWTO that contains example:
> Section 31.2. Migration Options cdxv (why the heck were the Arabic numerals
> replaced with Roman? Comparison of two Roman numeral takes about a minute
> to me and decreases the speed of manual binary search for a given page by
> several orders of magnitude)
>
> 5. Now assign each of the UNIX groups to NT groups:
> [...]
> # First assign well known domain global groups
> net groupmap modify ntgroup="Domain Admins" unixgroup=root rid=512
>
> This didn't work:
> oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root
> rid=512
> Bad option: rid=512
> However I got the idea behind the command and tried:
> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root
> Updated mapping entry for Domain Admins
> oberon root # net groupmap list
> [...]
> Domain Admins (S-1-5-21-3784068046-1792391053-1311982112-512) -> root
>
> Suggestion: replace
> "net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root rid=512"
> in the Samba HOWTO Collection with
> "net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root"
>
> After that I reloaded Samba and tried the running usrmgr.exe: Invalid handle.
> Exited the usrmgr.exe and restarted usrmgr.exe (without logout) and it --
> MIRACULOUSLY WORKED!
>
> Suggestion: replace "Users of such accounts can use tools like the NT4 Domain
> User Management" with "Users of such accounts cannot still use tools like the
> NT4 Domain User Management because having root as primary group is not enough.
> However, if the Domain Admins group is in addition mapped to root group, this
> task becomes possible" into chapter 12.2.1 Important Administrative Information
> (page cxli)
>
> Cl<
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list