[Samba] Domain Admins don't have enough privileges

[Gémes Géza]

Bostjan Müller írta:

>Hi everyone,
>
>I am trying to create a couple users (not root) who would be in Domain
>Admins group, and would have the permissions to add machine to domain.
>
>I can confirm that locally (I used sudo without password) as any of
>the users of ntadm group, and each and everyone of them can add a user
>to the passwd file.
>They are also local admins on NT/200X/XP machines when they log in on
>windows side, but neither of them can add a machine to domain via the
>windows GUI.
>The only user that can do that is the user root.
>
>I have googled a lot, and all I could find was the user has to be
>Domain Admin, and he has to have the unix rights to add the machine
>account.
>
>Can someone please explain to me what else has to be done for this to work?
>
>THX in advance,
>Bostjan
>  
>
By design Windows workstations treat users belonging to the Domain 
Admins group as Adminstrators (the Domain Admins group become member of 
the local Administrators group when the workstation joins the domain).
As Samba needs a posix account for each samba account (even for 
workstations), and on *nix only root (uid=0) can create users 
(accounts), you need a way to tell samba to threat some users as root. 
This is the reason of existance for the admin users smb.conf parameter. 
Specify admin users = @domainjoiners in the global section, and members 
of the domainjoiners group will be able to create accounts, and do all 
the nasty things allowed only to root (add/remove/modify shares/users) 
(if you configure them in smb.conf). You can limit their access to 
files/folders, by specifying admin users = root on the share definitions.

Good Luck!

Geza