Problem with "domain admin users"

Jeremy Allison jallison at
Wed Jul 22 15:03:25 GMT 1998

Gerald Carter wrote:
> Celso Kopp Webber wrote:
> >
> > key HKEY_USERS with a SID of S-1-5-21-123-456-789-500 when he/she is
> > logged on, he doesn't get administrative privileges. This worked well
> > with source I`ve checked out about a month ago.
> >
> Yup.  A lot has changed.  Jeremy has been working on the uid <-> RID
> mapping.  The GROUP_RID that is passed back is derived from the user's
> actual unix gid rather than the DOMAIN_ADMIN_GROUP_RID.  This is
> probably what has broken the functionality for the moment.

Ok - the parameter "domain admin users" is no longer
used. I will remove it from the sources soon.

What it was doing was changing the primary SID of the
user logging on into the well known Domain SID "Administrator"
for all users who were in the "domain admin users" list.

This meant that the userid being used on the UNIX side
would be completely different to the one being sent back
to the NT workstation logging on. 

This is actually what an NT PDC does, but it means that
all users who are in the "Administrators" group are totally
anonymous when they create files - everything is created
as "Administrator".

To get the same effect in the current head branch of the
code, add the user into the "domain admin group" parameter
list. What this does is to add the well known domain SID
"Domain Admins" to the group SID list generated for the
logon token for the user loggin on to the NT workstation.

If the "Domain Admins" group is a member of the local
"Administrators" group on the NT workstation (as it is
by default), then the user will have Administrator access
on that machine.

Hope this helps,

	Jeremy Allison,
	Samba Team.

PS. I'm starting to get things set up now at SGI - I
have mail and CVS access working so I'm off to a good
start :-).

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-ntdom mailing list