Make Admins be admin users

Ken Cross kcross at
Thu Feb 20 10:29:29 GMT 2003


You've a valid point that the domain isn't checked (although it's
probably still correct for Enterprise Admins).

The idea was to do it automatically.  Adding Domain Admins to admin
users in smb.conf would have the correct results unless somebody forgets
to do it.  This is especially true if the domain changes.  Hence the

Since we're trying to emulate a Windows environment, Windows admins
expect to have certain privileges.  Is there a better way to do this


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at 

> From: Andrew Bartlett [mailto:abartlet at] 
> On Thu, 2003-02-20 at 00:17, Ken Cross wrote:
> > Related to the "Allow chown of directories" patch, I added a hack 
> > where members of Admins, Domain Admins, or Enterprise Admins 
> > automatically become admin users.  (This really saved a lot of 
> > headaches for admins.)
> > 
> > Note that this sets conn->admin_user, but does *not* set 
> uid to 0 or 
> > force_user -- those caused subtle problems.
> > 
> > This applies to SAMBA_3_0.
> This means that administrators in a 'trusted' domain (which 
> means you trust the domain to authenticate it's own users, 
> not to administer your
> server) has root on your box.
> I suggest you use:
> 'admin users = @MYDOM\Domain Admins'
> In you smb.conf instead.
> We are going to get rid of 'sid_peek_rid' soon, as it allows 
> this kind of thing too easily - you simply don't know which domain...
> (The sid_peek_check_rid() version makes sure you have to 
> specify it up front).
> Andrew Bartlett

More information about the samba-technical mailing list