[Samba] UID of the windows Domain Administrator user?

Stéphane Purnelle stephane.purnelle at tiscali.be
Sat Jun 4 12:02:28 GMT 2005 


Fabio Muzzi a écrit :

>I  have  installed  lots  of  samba  3 servers as PDCs for little networks
>serving 10 users or so. I have always set up the user "root" as the domain
>administrator,  by  setting its group SID to <domainSID>-512 with pdbedit.
>My  "root" user has usually a user SID of <domainSID>-1000 since it is the
>first  user  I  add  to  Samba.  I have never set up a username map to map
>"administrator"  to  "root",  I  use "root" directly also on Windows boxes
>when  I  need  to  connect as the domain admin (to add workstations to the
>domain,   for   example)   and  I  have  never  had  issues.  I  have  no
>user named "administrator" on the domain.
>  
>

For joining a machine to domain, you must have a user with uid = 0.
But, begin with samba 3.0.11, the privileges can be used for use a other 
user than root (uid = 0)
You can read more information in this pages : 
http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html

>Now  I have read in the HOWTO collection that I should set the user SID to
><domainSID>-500  for  the  "administrator" user since this is a predefined
>default  SID.  I  have  found  that  a  NT  server uses 500 indeed for its
>"Administrator" user.
>  
>
administrator it's the name of a user which have administrator rights like :
add user
manage ACL
install applications in w2k workstation...

>First,  I'd  like  to understand why do I need an user with the "500" SID,
>since  I  have  never  had  one  and still it seems that my "root" user is
>working.
>
>Second,  I'd  like  to  know what will happen if I changhe the SID of root
>from  "1000"  to  "500",  now  that  my workstations already know the user
>"root"  by  its old SID. I suppose that generally is definitely NOT a good
>idea  to  change  a  user's  SID, because this would make his files on his
>workstations owned by someone else. Am I right?
>  
>

The "root" user is only used for that, but after joining a domain, 
changing the SID cause no problem.

>
>  
>
Actually, on my network I not enabled privileges (in my test network : 
yes and that work).
But, I use root user only for adding machine to domain, for the rest of 
administration, I have
a administrator user with SID = S-1-5-21-xxxxxx-xxxx-xxxx-500 and 
groupSID = S-1-5-21-xxxxxx-xxxxx-xxxxx-512

-- 
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be

More information about the samba mailing list