Make Admins be admin users

Ken Cross kcross at nssolutions.com
Thu Feb 20 10:29:29 GMT 2003


Andrew:

You've a valid point that the domain isn't checked (although it's
probably still correct for Enterprise Admins).

The idea was to do it automatically.  Adding Domain Admins to admin
users in smb.conf would have the correct results unless somebody forgets
to do it.  This is especially true if the domain changes.  Hence the
hack.

Since we're trying to emulate a Windows environment, Windows admins
expect to have certain privileges.  Is there a better way to do this
automatically?

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> 
> On Thu, 2003-02-20 at 00:17, Ken Cross wrote:
> > Related to the "Allow chown of directories" patch, I added a hack 
> > where members of Admins, Domain Admins, or Enterprise Admins 
> > automatically become admin users.  (This really saved a lot of 
> > headaches for admins.)
> > 
> > Note that this sets conn->admin_user, but does *not* set 
> uid to 0 or 
> > force_user -- those caused subtle problems.
> > 
> > This applies to SAMBA_3_0.
> 
> This means that administrators in a 'trusted' domain (which 
> means you trust the domain to authenticate it's own users, 
> not to administer your
> server) has root on your box.
> 
> I suggest you use:
> 
> 'admin users = @MYDOM\Domain Admins'
> 
> In you smb.conf instead.
> 
> We are going to get rid of 'sid_peek_rid' soon, as it allows 
> this kind of thing too easily - you simply don't know which domain...
> 
> (The sid_peek_check_rid() version makes sure you have to 
> specify it up front).
> 
> Andrew Bartlett



More information about the samba-technical mailing list