[Samba] Re: Domain Admin Group privaleges
news_jamrock at yahoo.com
Sat Apr 24 21:47:16 GMT 2004
"Greg Kuchyt" <kuchyt25 at potsdam.edu> wrote in message
news:1082728325.12726.15.camel at hnshpws.potsdam.edu...
> If the user 'root' is added to samba/ldap and assigned to the "Domain
> Admins" domain group, then 'root' is allowed domain administrator access
> as it should be. If you create a new user account, say 'blinky', and add
> 'blinky' to the "Domain Admins" group, 'blinky' does not have full
> Domain Admin access. For example, 'blinky' cannot use the "USRMGR.EXE"
> administration tool, while root can without any problem. However,
> 'blinky' CAN remove a machine from the domain, but not add.
It sounds as it has to do with the Linux privileges. Try this:
When you create a Samba user, the equivalent account is created in the
/etc/passwd file. Add the Linux user account to the Linux root group.
This will give the user root previliges. Here is some info. from the Samba
There is no safe way to provide access on a UNIX/Linux system without
providing root level privilege. Provision of root privileges can be done
wither by logging onto the Domain as the user root, or by permitting
particular users to use a UNIX account that is a member of the UNIX group
that has a GID=0 as the primary group in the /etc/passwd database. Users of
such accounts can use tools like the NT4 Domain User Manager, and the NT4
Domain Server Manager to manage user and group accounts as well as Domain
Member server and client accounts. This level of privilege is also needed to
manage share level ACLs.
More information about the samba