[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?
John H Terpstra
jht at samba.org
Sat Sep 6 00:26:26 GMT 2003
On Fri, 5 Sep 2003, Rauno Tuul wrote:
> Hi,
>
> Could someone explain, why was parameter "domain admin group" removed from
> samba3?
> passdb/pdb_ldap got totally rewritten... but why remove an useful
> variable...
Because you now have something much more powerful that provides real NT
Groups to your NT/200x/XP clients.
Here are the basic steps:
1. Add a UNIX group account that will be mapped to the NT Domain Admins
global group:
groupadd ntadmins
2. Now add the UNIX users who should be a member of the NT Domain Admins
group to the UNIX ntadmins account:
a) You can edit /etc/group so that the ntadmins entry looks like:
ntadmins:x:543:maryo,willy,billg
-OR-
b) Use the system toolset to do this by:
usermod -G ntadmins maryo
usermod -G ntadmins willy
usermod -G ntadmins billg
3. Now map the UNIX group to the NT Domain Admins group:
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
4. Done.
Hope this helps! IT is covered in the Samba-HOWTO-Collection.pdf file that
is included with Samba-3 in the docs directory. Let me know if we missed
anything! :)
- John T.
>
> # Removed Parameters (order alphabetically):
> # * domain admin group
> In 2.2.8 (with LDAP backend) I defined
> domain admin group = @"Domain Admins"
> and added several users to that group for creating machine accounts. I
> worked and well. Users in that group didn't have root permissions, but were
> able to add new accounts.
>
> But what I do in samba3?
>
> # add machine script - will be run by smbd(8)
> # when a machine is added to it's domain using
> # the administrator username and password method".
>
> I made an custom script, based on idealx useradd script and added some lines
> for working with LAM (http://lam.sf.net).
> Problem is, how can this script be used by others, who need to add machine
> accounts...
> Am I correct, that samba assumes "administrator username = root" ????
>
> # admin users - list of users who will be granted administrative
> # privileges on the share. This means that they will do all
> # file operations as the super-user (root)".
>
> Defining several people to be "admin users", isn't also the right solution,
> cause they get too high privileges. On shares and file access. I used it and
> managed to add new machine account... For samba I was "logged in as admin
> user (root privileges)".
>
> # The name of the account that is used to create domain member
> # machine accounts can be anything the network administrator
> # may choose. If it is other than root then this is easily
> # mapped to root using the file pointed to be the smb.conf
> # parameter username map = /etc/samba/smbusers."
>
> Doesn't that make exatly the same as listing users as admin users? Basically
> will samba recognize that "anything" as "admin user (root privileges)" or
> not?
>
> Any recommendations? solutions?
>
> Regards,
>
> Rauno Tuul
>
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list