[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?

John H Terpstra jht at samba.org
Sat Sep 6 00:26:26 GMT 2003

On Fri, 5 Sep 2003, Rauno Tuul wrote:

> Hi,
> Could someone explain, why was parameter "domain admin group" removed from
> samba3?
> passdb/pdb_ldap got totally rewritten... but why remove an useful
> variable...

Because you now have something much more powerful that provides real NT
Groups to your NT/200x/XP clients.

Here are the basic steps:

1. Add a UNIX group account that will be mapped to the NT Domain Admins
global group:

	groupadd ntadmins

2. Now add the UNIX users who should be a member of the NT Domain Admins
group to the UNIX ntadmins account:

a) You can edit /etc/group so that the ntadmins entry looks like:


b) Use the system toolset to do this by:

	usermod -G ntadmins maryo
	usermod -G ntadmins willy
	usermod -G ntadmins billg

3. Now map the UNIX group to the NT Domain Admins group:

	net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins

4. Done.

Hope this helps! IT is covered in the Samba-HOWTO-Collection.pdf file that
is included with Samba-3 in the docs directory. Let me know if we missed
anything! :)

- John T.

> # Removed Parameters (order alphabetically):
> #  * domain admin group
> In 2.2.8 (with LDAP backend) I defined
> 	domain admin group = @"Domain Admins"
> and added several users to that group for creating machine accounts. I
> worked and well. Users in that group didn't have root permissions, but were
> able to add new accounts.
> But what I do in samba3?
> # add machine script - will be run by smbd(8)
> # when a machine is added to it's domain using
> # the administrator username and password method".
> I made an custom script, based on idealx useradd script and added some lines
> for working with LAM (http://lam.sf.net).
> Problem is, how can this script be used by others, who need to add machine
> accounts...
> Am I correct, that samba assumes "administrator username = root" ????
> # admin users - list of users who will be granted administrative
> # privileges on the share. This means that they will do all
> # file operations as the super-user (root)".
> Defining several people to be "admin users", isn't also the right solution,
> cause they get too high privileges. On shares and file access. I used it and
> managed to add new machine account...  For samba I was "logged in as admin
> user (root privileges)".
> # The name of the account that is used to create domain member
> # machine accounts can be anything the network administrator
> # may choose. If it is other than root then this is easily
> # mapped to root using the file pointed to be the smb.conf
> # parameter username map = /etc/samba/smbusers."
> Doesn't that make exatly the same as listing users as admin users? Basically
> will samba recognize that "anything" as "admin user (root privileges)" or
> not?
> Any recommendations? solutions?
> Regards,
> Rauno Tuul

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list