Make Admins be admin users
Andrew Bartlett
abartlet at samba.org
Wed Feb 19 21:01:48 GMT 2003
On Thu, 2003-02-20 at 00:17, Ken Cross wrote:
> Related to the "Allow chown of directories" patch, I added a hack where
> members of Admins, Domain Admins, or Enterprise Admins automatically
> become admin users. (This really saved a lot of headaches for admins.)
>
> Note that this sets conn->admin_user, but does *not* set uid to 0 or
> force_user -- those caused subtle problems.
>
> This applies to SAMBA_3_0.
This means that administrators in a 'trusted' domain (which means you
trust the domain to authenticate it's own users, not to administer your
server) has root on your box.
I suggest you use:
'admin users = @MYDOM\Domain Admins'
In you smb.conf instead.
We are going to get rid of 'sid_peek_rid' soon, as it allows this kind
of thing too easily - you simply don't know which domain...
(The sid_peek_check_rid() version makes sure you have to specify it up
front).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030220/c3c83d0e/attachment.bin
More information about the samba-technical
mailing list