[Samba] Domain Administrators Not Recognized in Samba3

Travis Groth lists at netfoo.org
Wed Apr 7 18:25:35 GMT 2004


Ok lemme get this straight.   You're saying that there needs to be a
samba account with posix uid of 0 in order to join the domain?  That
doesn't make sense.  If you're a domain admin, you're a domain admin. 
If this is the case, the samba team is forcing a huge security problem
upon us as all domain admins would now need to have a posix id of
0....making them all effectively root.  While domain admins are only
superusers to samba, giving them all uid 0 would make them superusers
globally.  Not the brightest of ideas.

If you're saying that I need to be root *locally* to join with a domain
admin account, then thats not an issue.  I'm doing that.

I ssh in as my normal user, run `sudo su -` to become full root, then
execute `net join -U travis DOMAIN`. 

If this seems ok I'm going to start digging around the source code I
guess.  

--Travis



On Wed, 2004-04-07 at 03:15, Clint Sharp wrote:
> On Tue, 2004-04-06 at 15:24, Travis Groth wrote:
> > Uh...yes?  root doesn't have a samba account.  'travis' is in the domain
> > admins group though, which is all you need to join a domain afaik.  Take
> > a look at the ldap chunks and 'net groupmap list' output.  Its either
> > something really stupid or i've uncovered a bug...according to all the
> > documentation I've seen and examples i've followed, I haven't missed
> > anything.
> > 
> > --Travis
> > 
> 
> This may have been beaten to death on the list, but AFAIK you cannot
> join a samba domain, even with a tdb or ldap backend w/o using the root
> account.  It's the only reason I've kept a root account around (that and
> modifying ACLs, which is a seperate problem I haven't gotten around to
> seeing if I can fix).  In fact, my root account isn't even in the domain
> admins group at this point.  Without having to modify the smbpasswd file
> and /etc/passwd file, I couldn't see a reason for having to be root to
> join the domain anymore.  I saw a patch (it's still in my inbox) for
> 2.2.8 that would allow domain admins to join the domain by assuming root
> privileges during the join, and I've considered attempting to adapt this
> patch for Samba 3 but I haven't had the time to even look at (if I had a
> Linux environment on my laptop I could work on this tomorrow on the
> plane, but alas spending is frozen and no one's gotten around to buying
> me vmware yet).
> 
> Maybe someone else can shed some light as to why this restriction still
> seems to exist in Samba 3 with an LDAP backend?
> 
> Clint
> 
> 
> 



More information about the samba mailing list