[Samba] Question on Samba PDC: Permissions and groups

Jim C jcllings at tsunamicomm.net
Wed Aug 13 22:40:00 GMT 2003

Uh..., Did this come from me?  I don't remember it.
Strange.  <shrug>Oh well, let's see...

> Jim,
> Thanks Jim for your input. I really do appreciate it. Sorry for the 
> late reply, i've been quite busy and in and out of town recently.
> When you say you set the permissions for the group on the client, 
> exactly how are you doing that?
> I have to put my users in one of two groups, to make a few things 
> seperate to do what I need. But i'd like to find options of how I can 
> put further permissions and such on my users.
> Also, mind if I ask how you are using the Win2K Administrator account 
> that comes default? Basically, did you create a Administrator account 
> on your PDC that would allow you to log into your client machines with 
> the admin account and have all the administrator privileges?
> Thanks Jim...I appreciate your time and input.
> Cheers,
> Jason
> At 07:57 AM 8/1/2003 -0700, you wrote:
>> All of my users belong to the group dusers.  I would simply set the 
>> perms for this group on the client.
1. When one adds a machine to a domain, one is supposed to use the 
userid and password of the domain administrator or of an operator set up 
with such privlidges on the domain.
So when you right click on the My Computer icon and go to the properties 
tab to change the name and the system prompts you for a userid and 
password, it is the domain administrators userid and password (or that 
of a properly configured operator) that one should be entering.  This 
makes sense since we don't want random unknown people joining 
willy-nilly without authorization.

2. This is also an administrative issue on the local machine for a 
number of reasons.  Consequently, the local machine does not provide 
access to the change button unless the user is an administrator locally.

3. Most of this you wouldn't want to change for security reasons.  
However, it may be the case that you have a "Power Users" group on your 
domain and want that reflected on your local machine.  Normally we might 
do this by adding the group "DOMAIN/Power Users" to the group "Power 
Users" one the local machine however I do not think this capability has 
been added to Samba yet.  I just tried it and it did not work.

>> Jason Williams wrote:
>>> Hello everyone.
>>> Im setting up a Samba PDC running 2.2.8a with LDAP on the backend to 
>>> hold user accounts, machines and passwords.
>>> My question is actually on permissions and groups for users who are 
>>> part of the domain.
>>> For example, in my testing, i've been able to successfully join 
>>> machines and clients to the PDC. However, when I log into the domain 
>>> with the user, I noticed that they have considerably less 
>>> permissions. For example, they do not have the ability to change the 
>>> computer name or workgroup/domain.
>>> So in a nutshell, how can I modify permissions for items like these? 
>>> How can I make more strict permissions as well as less strict 
>>> permissions?
>>> Thanks everyone.
>>> Jason

More information about the samba mailing list