Smb multi-sessions, samba3.0.2pre1

Simo Sorce simo.sorce at
Wed Jan 21 12:05:29 GMT 2004

On Wed, 2004-01-21 at 12:04, Jianliang Lu wrote:
> > On Wed, 2004-01-21 at 01:54, Jianliang Lu wrote:
> > 
> > Using 'admin users' to get around the 'ldap as not root' issue is the
> > wrong fix.  The real thing we need to do is properly implement the
> > required ACLs etc, so that we don't need such ugly hacks.
> > 
> > Andrew Bartlett
> > 
> The problem is that the smbldap-tools need the uid=0 to run. When I use 
> usrmgr to create a new user I'll get a access denied in run "add user 
> script"( if the user has not uid=0.  If we deal with "add 
> scripts" using uid=0 may overcome this problem (only for ldap backend).
> Another problem is for nested group.  If a user would have privileges to 
> manager users (like create new user) it must be a member of builtin 
> group "Administrators" or "Account operators", but I don't know if a 
> globalgroup (like "Domain Admins") could be a member of such group to have 
> these privileges. 
> My question is: how can we do to have the users which have uid not 0 and have 
> the privileges to manage the user account using "User Manager for Domain"?

OK, the right way would be to finally implement the privileges system.
JFM already added a preliminary support to the group mapping code, but
we removed it from 3.0 as it was not used anywhere and was easier to
stabilize our code without that piece.
Anyway the group mapping code is not the right place, the privileges
should be defined and assigned per SID in it's own hive on the SAM (it
is replicated beetwen DCs).

The hackish way is to define a global parametr an put hacks in the
places where we need admin functionality so that we can make a
become_root call around the code to be run as root.

The first is a bigger job, but better.
The latter is much easier but a bad hack, prone to errors, and will put
strings into maintaining it for future releases.

I'm not sure I would say OK to a patch that implements the second

Simo Sorce - simo.sorce at
Xsec s.r.l. -
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399

More information about the samba-technical mailing list