Make Admins be admin users

Andrew Bartlett abartlet at
Wed Feb 19 21:01:48 GMT 2003

On Thu, 2003-02-20 at 00:17, Ken Cross wrote:
> Related to the "Allow chown of directories" patch, I added a hack where
> members of Admins, Domain Admins, or Enterprise Admins automatically
> become admin users.  (This really saved a lot of headaches for admins.)
> Note that this sets conn->admin_user, but does *not* set uid to 0 or
> force_user -- those caused subtle problems.
> This applies to SAMBA_3_0.

This means that administrators in a 'trusted' domain (which means you
trust the domain to authenticate it's own users, not to administer your
server) has root on your box.

I suggest you use:

'admin users = @MYDOM\Domain Admins'

In you smb.conf instead.

We are going to get rid of 'sid_peek_rid' soon, as it allows this kind
of thing too easily - you simply don't know which domain...

(The sid_peek_check_rid() version makes sure you have to specify it up

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list