[Samba] Power Users - Is it possible?

Fri Jul 25 17:58:11 GMT 2003

Hi,

Imagine a network with 150 computers connected to a Samba PDC.
I don't want to set each machine that a "Domain Power Users" group  is a
member of Local Power Users.

Anyone can crarify the situation ?

A PDC which cannot send a information that a user is a member of a
"Power Users" group is not valuable.  Whan I think user member of a
Power Users Group, I translate a responsable user can have the
autorization for install software for example.

On Fri, 2003-07-25 at 17:15, George Farris wrote:
> My solution was to create a "Domain Power Users" group with net group
> map and assign an domain sid to it.  I just incremented the highest sid
> in the group list, for example:
> 
> net group map shows:
> System Operators (S-1-5-32-549) -> -1
> Domain Guests (S-1-5-21-1135672234-1853056381-2991119365-514) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Domain Users (S-1-5-21-1135672234-1853056381-2991119365-513) -> -1
> Administrators (S-1-5-32-544) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> users
> Domain Admins (S-1-5-21-1135672234-1853056381-2991119365-512) -> dadmin
> 
> Since S-1-5-21-1135672234-1853056381-2991119365-514 is the last number
> displayed I could use: S-1-5-21-1135672234-1853056381-2991119365-515
> 
> so 
> 
> "net groupmap add sid=S-1-5-21-1135672234-1853056381-2991119365-515
> ntgroup="Domain Power Users" unixgroup=pwruser"
> 
> will create the group.  I then went to the workstation and added "Domain
> Power Users" to the local "Power Users" group.  Now anyone being a
> member of pwruser is automatically a Power User on the workstation.
> 
> 
> Thanks for all your help samba list, I appreciate it.  This is what
> makes open source so valuable.
> 
> On Fri, 2003-07-25 at 03:32, Felipe Alfaro Solana wrote:
> > On Fri, 2003-07-25 at 12:17, Beast wrote:
> > > Friday, July 25, 2003, 5:09:31 PM, Felipe wrote:
> > > 
> > > > On Fri, 2003-07-25 at 11:54, Beast wrote:
> > > >> > If Samba is acting as a domain controller (PDC), then it will only
> > > >> > mantain global groups. Local groups are only available on workstations
> > > >> > and member servers.
> > > >> 
> > > >> This is incorrect.
> > > >> This is my smb.conf (Its PDC) :
> > > 
> > > > Well, local groups do exist in domain controllers, but they are shared
> > > Yes :=)
> > > 
> > > > between domain controllers exclusively. That is, a domain workstation
> > > > does have its own "Power Users" local group, which is totally different
> > > > from the "Power Users" local group of the domain controllers.
> > > 
> > > That's why it called "Local" :=)
> > 
> > I just wanted to clarify on this as I think there are people out there
> > that are adding users to the "Power Users" group of the domain hoping
> > that they will automatically become members of the "Power Users" local
> > group of their Windows workstations, and this won't work.
> -- 
> George Farris  farrisg at mala.bc.ca
> Computer Support Cowichan.