Domain admins

Luke Kenneth Casson Leighton lkcl at samba.org
Mon Jan 10 19:52:48 GMT 2000


that's really tricky to do.  the only way to correctly and securely
identify a user is by uid, _not_ by username.

On Tue, 11 Jan 2000, Stephen Waters wrote:

> "Mike.Robinson" wrote:
> >
> > Perhaps I was at fault having more than one user name (mike and miker) assigned
> > to a single uid - although both refer to one (physical) user. I've changed this
> > now, giving miker a different uid to mike. That seems to solve the problem.
> 
> this functionality can be extremely useful. for instance, some of our
> programmers need root level access to get to some of the logs so we have
> a root equivalent account called "rooter". only a few select people have
> the true root passwords and they are changed very frequently. if the
> rooter password is suspected to have been compromised, it is simple to
> disable it and still have root functioning properly.
> 
> mind you, if they've already installed root-equiv backdoors and whatnot
> then this is not so useful... but back to samba, it would be nice if
> samba could understand multiple names referring to the same UID.
> 
> -s
> 
> > --------------------------------------------------------------------------------
> > 
> > >
> > > On Mon, 10 Jan 2000, Mike.Robinson wrote:
> > >
> > > > On Fri, 7 Jan 2000, Lars Kneschke wrote:
> > > >
> > > > > "Mike.Robinson" wrote:
> > > > > >
> > > > > > I'm new to NT and have set up a set up a NT PDC using a version 2.1.0-prealpha
> > > > > > of Samba downloaded in September 99 and running on Solaris 7.
> > > > > >
> > > > > > I am trying to put users into a Domain Admins group using the information in
> > > > > > the FAQ.
> > > > > >
> > > > > > What I have is:
> > > > > >
> > > > > > fibratus#ypcat group |grep nt
> > > > > > ntadmin:*:4219:mike,bc,cnd,ann
> > > > > > automnt:*:31530:
> > > > > > ntusers:*:4220:mike,bc,cnd,ann
> > > > > >
> > > > > > fibratus#grep domain smb.conf
> > > > > >    workgroup = met-domain
> > > > > >    domain group map = /usr/local/samba/lib/domaingroup.map
> > > > > >    domain master = yes
> > > > > >    domain logons = yes
> > > > > >
> > > > > > fibratus#cat /usr/local/samba/lib/domaingroup.map
> > > > > > ntadmin="Domain Admins"
> > > > > > ntusers="Domain Users"
> > > > > >
> > > > > > fibratus#grep group /etc/nsswitch.conf
> > > > > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> > > > > > group:      files nis
> > > > > > netgroup:   nis
> > > > > >
> > > > > > When logging onto a PC as mike in the domain met-domain, mike does not have
> > > > > > administrator privilegs. The samba logs do not appear to have anything that
> > > > > > sheds any light on the matter.
> > > > > I use the latest samba from cvs(see my homepage
> > > > > http://www.kneschke.de/projekte/samba_tng/index.php3).  And had
> > > > > this problem just today. Your smb.conf and your domaingroup.map
> > > > > are ok, but to let this, the in the /etc/passwd must be ntadmin
> > > > > or ntusers. The settings in /etc/group don't care samba much. :-(
> > > > >
> > > > > This works:
> > > > >
> > > > > /etc/group
> > > > > ntadmin::101:
> > > > >
> > > > > /etc/passwd
> > > > > lk:x:6010:101::/home/lk:/bin/sh
> > > > >
> > > > > lk is "Domain Admin".
> > > > >
> > > > > Hope this helps.
> > > >
> > > > Many thanks, I've solved the problem following a pointer from "Mayers, P J"
> > > > <p.mayers at ic.ac.uk>.
> > > >
> > > > By looking at the members of MET-DOMAIN\Domain Admins on a PC, I was there as
> > > > miker instead of mike. Although miker was not in smbpasswd or in the nis group
> > > > it is in the NIS passwd (intentionally - with the same user id but different
> > > > shell).
> > > >
> > > > Not sure why it does this since:
> > > >
> > > > fractus#groups miker
> > > > eucsup wheel
> > > >
> > > > fractus#groups mike
> > > > eucsup wheel met erdas ntadmin ntusers www
> > > >
> > > > - but putting miker into smbpasswd and logging in as miker instead circumvents
> > > > the problem?
> > > >
> > > > ****** Is this a bug in the samba software?  *******
> > > >
> > > > Best wishes,
> > > >
> > > > Mike
> > > >
> > > > ...............................................................................
> > > > Mike Robinson                        Email: M.Robinson at ed.ac.uk
> > > > EUCS                             Tel:   0131 650 5015
> > > > The University of Edinburgh          Fax:   0131 650 8748
> > > > J.C.M.B
> > > > The Kings Buildings
> > > > Mayfield Road
> > > > Edinburgh EH9 3JZ
> > > >
> > > >
> > >
> > 
> > Best wishes,
> > 
> > Mike
> > 
> > ...............................................................................
> > Mike Robinson                        Email: M.Robinson at ed.ac.uk
> > EUCS                                 Tel:   0131 650 5015
> > The University of Edinburgh          Fax:   0131 650 8748
> > J.C.M.B
> > The Kings Buildings
> > Mayfield Road
> > Edinburgh EH9 3JZ
> 



More information about the samba-ntdom mailing list