[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?

Rauno Tuul rauno.tuul at haigekassa.ee
Fri Sep 5 20:21:57 GMT 2003


Could someone explain, why was parameter "domain admin group" removed from
passdb/pdb_ldap got totally rewritten... but why remove an useful

# Removed Parameters (order alphabetically):
#  * domain admin group
In 2.2.8 (with LDAP backend) I defined 
	domain admin group = @"Domain Admins"
and added several users to that group for creating machine accounts. I
worked and well. Users in that group didn't have root permissions, but were
able to add new accounts.

But what I do in samba3?

# add machine script - will be run by smbd(8) 
# when a machine is added to it's domain using 
# the administrator username and password method".

I made an custom script, based on idealx useradd script and added some lines
for working with LAM (http://lam.sf.net).
Problem is, how can this script be used by others, who need to add machine
Am I correct, that samba assumes "administrator username = root" ????

# admin users - list of users who will be granted administrative 
# privileges on the share. This means that they will do all 
# file operations as the super-user (root)".

Defining several people to be "admin users", isn't also the right solution,
cause they get too high privileges. On shares and file access. I used it and
managed to add new machine account...  For samba I was "logged in as admin
user (root privileges)".

# The name of the account that is used to create domain member
# machine accounts can be anything the network administrator 
# may choose. If it is other than root then this is easily 
# mapped to root using the file pointed to be the smb.conf 
# parameter username map = /etc/samba/smbusers."

Doesn't that make exatly the same as listing users as admin users? Basically
will samba recognize that "anything" as "admin user (root privileges)" or

Any recommendations? solutions?


Rauno Tuul

More information about the samba mailing list