[Samba] Domain Administrators Not Recognized in Samba3
Travis Groth
lists at netfoo.org
Wed Apr 7 18:25:35 GMT 2004
Ok lemme get this straight. You're saying that there needs to be a
samba account with posix uid of 0 in order to join the domain? That
doesn't make sense. If you're a domain admin, you're a domain admin.
If this is the case, the samba team is forcing a huge security problem
upon us as all domain admins would now need to have a posix id of
0....making them all effectively root. While domain admins are only
superusers to samba, giving them all uid 0 would make them superusers
globally. Not the brightest of ideas.
If you're saying that I need to be root *locally* to join with a domain
admin account, then thats not an issue. I'm doing that.
I ssh in as my normal user, run `sudo su -` to become full root, then
execute `net join -U travis DOMAIN`.
If this seems ok I'm going to start digging around the source code I
guess.
--Travis
On Wed, 2004-04-07 at 03:15, Clint Sharp wrote:
> On Tue, 2004-04-06 at 15:24, Travis Groth wrote:
> > Uh...yes? root doesn't have a samba account. 'travis' is in the domain
> > admins group though, which is all you need to join a domain afaik. Take
> > a look at the ldap chunks and 'net groupmap list' output. Its either
> > something really stupid or i've uncovered a bug...according to all the
> > documentation I've seen and examples i've followed, I haven't missed
> > anything.
> >
> > --Travis
> >
>
> This may have been beaten to death on the list, but AFAIK you cannot
> join a samba domain, even with a tdb or ldap backend w/o using the root
> account. It's the only reason I've kept a root account around (that and
> modifying ACLs, which is a seperate problem I haven't gotten around to
> seeing if I can fix). In fact, my root account isn't even in the domain
> admins group at this point. Without having to modify the smbpasswd file
> and /etc/passwd file, I couldn't see a reason for having to be root to
> join the domain anymore. I saw a patch (it's still in my inbox) for
> 2.2.8 that would allow domain admins to join the domain by assuming root
> privileges during the join, and I've considered attempting to adapt this
> patch for Samba 3 but I haven't had the time to even look at (if I had a
> Linux environment on my laptop I could work on this tomorrow on the
> plane, but alas spending is frozen and no one's gotten around to buying
> me vmware yet).
>
> Maybe someone else can shed some light as to why this restriction still
> seems to exist in Samba 3 with an LDAP backend?
>
> Clint
>
>
>
More information about the samba
mailing list