Domain admins

Stephen Waters swaters at amicus.com
Mon Jan 10 17:27:40 GMT 2000 

"Mike.Robinson" wrote:
>
> Perhaps I was at fault having more than one user name (mike and miker) assigned
> to a single uid - although both refer to one (physical) user. I've changed this
> now, giving miker a different uid to mike. That seems to solve the problem.

this functionality can be extremely useful. for instance, some of our
programmers need root level access to get to some of the logs so we have
a root equivalent account called "rooter". only a few select people have
the true root passwords and they are changed very frequently. if the
rooter password is suspected to have been compromised, it is simple to
disable it and still have root functioning properly.

mind you, if they've already installed root-equiv backdoors and whatnot
then this is not so useful... but back to samba, it would be nice if
samba could understand multiple names referring to the same UID.

-s

> --------------------------------------------------------------------------------
> 
> >
> > On Mon, 10 Jan 2000, Mike.Robinson wrote:
> >
> > > On Fri, 7 Jan 2000, Lars Kneschke wrote:
> > >
> > > > "Mike.Robinson" wrote:
> > > > >
> > > > > I'm new to NT and have set up a set up a NT PDC using a version 2.1.0-prealpha
> > > > > of Samba downloaded in September 99 and running on Solaris 7.
> > > > >
> > > > > I am trying to put users into a Domain Admins group using the information in
> > > > > the FAQ.
> > > > >
> > > > > What I have is:
> > > > >
> > > > > fibratus#ypcat group |grep nt
> > > > > ntadmin:*:4219:mike,bc,cnd,ann
> > > > > automnt:*:31530:
> > > > > ntusers:*:4220:mike,bc,cnd,ann
> > > > >
> > > > > fibratus#grep domain smb.conf
> > > > >    workgroup = met-domain
> > > > >    domain group map = /usr/local/samba/lib/domaingroup.map
> > > > >    domain master = yes
> > > > >    domain logons = yes
> > > > >
> > > > > fibratus#cat /usr/local/samba/lib/domaingroup.map
> > > > > ntadmin="Domain Admins"
> > > > > ntusers="Domain Users"
> > > > >
> > > > > fibratus#grep group /etc/nsswitch.conf
> > > > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> > > > > group:      files nis
> > > > > netgroup:   nis
> > > > >
> > > > > When logging onto a PC as mike in the domain met-domain, mike does not have
> > > > > administrator privilegs. The samba logs do not appear to have anything that
> > > > > sheds any light on the matter.
> > > > I use the latest samba from cvs(see my homepage
> > > > http://www.kneschke.de/projekte/samba_tng/index.php3).  And had
> > > > this problem just today. Your smb.conf and your domaingroup.map
> > > > are ok, but to let this, the in the /etc/passwd must be ntadmin
> > > > or ntusers. The settings in /etc/group don't care samba much. :-(
> > > >
> > > > This works:
> > > >
> > > > /etc/group
> > > > ntadmin::101:
> > > >
> > > > /etc/passwd
> > > > lk:x:6010:101::/home/lk:/bin/sh
> > > >
> > > > lk is "Domain Admin".
> > > >
> > > > Hope this helps.
> > >
> > > Many thanks, I've solved the problem following a pointer from "Mayers, P J"
> > > <p.mayers at ic.ac.uk>.
> > >
> > > By looking at the members of MET-DOMAIN\Domain Admins on a PC, I was there as
> > > miker instead of mike. Although miker was not in smbpasswd or in the nis group
> > > it is in the NIS passwd (intentionally - with the same user id but different
> > > shell).
> > >
> > > Not sure why it does this since:
> > >
> > > fractus#groups miker
> > > eucsup wheel
> > >
> > > fractus#groups mike
> > > eucsup wheel met erdas ntadmin ntusers www
> > >
> > > - but putting miker into smbpasswd and logging in as miker instead circumvents
> > > the problem?
> > >
> > > ****** Is this a bug in the samba software?  *******
> > >
> > > Best wishes,
> > >
> > > Mike
> > >
> > > ...............................................................................
> > > Mike Robinson                        Email: M.Robinson at ed.ac.uk
> > > EUCS                             Tel:   0131 650 5015
> > > The University of Edinburgh          Fax:   0131 650 8748
> > > J.C.M.B
> > > The Kings Buildings
> > > Mayfield Road
> > > Edinburgh EH9 3JZ
> > >
> > >
> >
> 
> Best wishes,
> 
> Mike
> 
> ...............................................................................
> Mike Robinson                        Email: M.Robinson at ed.ac.uk
> EUCS                                 Tel:   0131 650 5015
> The University of Edinburgh          Fax:   0131 650 8748
> J.C.M.B
> The Kings Buildings
> Mayfield Road
> Edinburgh EH9 3JZ

More information about the samba-ntdom mailing list