Samba TNG FAQ updated
Paul J Collins
pjdc at eircom.net
Thu Apr 27 19:29:28 GMT 2000
>>>>> "Lars" == Lars Kneschke <lars at kneschke.de> writes:
Lars> Paul J Collins wrote:
>> I also made a statement that DOMAIN\Domain Admins (as well as
>> Domain Users and Domain Guests) are not added to the equivalent
>> local groups on the domain controllers (i.e. in the domain
>> SAM). In fact, they are. I checked today on a few NT domains.
Lars> Yes, i was checking this today too. I hope we mean the same!
Lars> It's a windows NT network only. If a add a user to <Windows
Lars> NT Domain>\Administrators(which is shown as local group),
Lars> and there after switch to the local domain(= workstation
Lars> name) in usermanager for domains, the user isn't anymore in
Lars> the local Administartors group. So it must be possible to
That is because the local groups on workstations and servers are
distinct from the local groups in the domain. Local groups in the
domain are of no relevance to domain members.
Lars> do teh same with Samba TNG. At least it should be able to
Lars> add a user to the Administrators group, without the need to
Lars> modify the groups at the workstation. Am i right? Correct
Lars> me if i'm wrong.
I don't think Samba needs to support nesting of global groups in local
groups in its own SAM. The nesting support on the workstations and
servers is all you need for the domain to operate correctly.
Whenever you join a machine to a domain, the global groups "Domain
Admins", "Domain Guests" and "Domain Users" get added to the
workstations corresponding local groups (in fact, WSes can *only* have
local groups). That is:
Global group inserted into local group
DOMAIN\Domain Admins WS\Administrators
DOMAIN\Domain Guests WS\Guests
DOMAIN\Domain Users WS\Users
Since a workstation grants the right "Log on locally" to WS\Users by
default, the insertion of DOMAIN\Domain Admins into WS\Users enables
all domain users to log into that workstation.
* are only in the domain SAM
* can only contain users
* are in both the domain SAM and domain members' SAMs
* can contain users and/or global groups
Paul Collins <sneakums at eircom.net> - - - - - [ A&P,a&f ]
GPG: 0A49 49A9 2932 0EE5 89B2 9EE0 3B65 7154 8131 1BCD
PGP: 88BA 2393 8E3C CECF E43A 44B4 0766 DD71 04E5 962C
"Linux: it's just this operating system, you know?"
More information about the samba-ntdom