[Samba] Domain Admins don't have enough privileges
geza at kzsdabas.sulinet.hu
Mon Dec 27 14:17:18 GMT 2004
Bostjan Müller írta:
>I am trying to create a couple users (not root) who would be in Domain
>Admins group, and would have the permissions to add machine to domain.
>I can confirm that locally (I used sudo without password) as any of
>the users of ntadm group, and each and everyone of them can add a user
>to the passwd file.
>They are also local admins on NT/200X/XP machines when they log in on
>windows side, but neither of them can add a machine to domain via the
>The only user that can do that is the user root.
>I have googled a lot, and all I could find was the user has to be
>Domain Admin, and he has to have the unix rights to add the machine
>Can someone please explain to me what else has to be done for this to work?
>THX in advance,
By design Windows workstations treat users belonging to the Domain
Admins group as Adminstrators (the Domain Admins group become member of
the local Administrators group when the workstation joins the domain).
As Samba needs a posix account for each samba account (even for
workstations), and on *nix only root (uid=0) can create users
(accounts), you need a way to tell samba to threat some users as root.
This is the reason of existance for the admin users smb.conf parameter.
Specify admin users = @domainjoiners in the global section, and members
of the domainjoiners group will be able to create accounts, and do all
the nasty things allowed only to root (add/remove/modify shares/users)
(if you configure them in smb.conf). You can limit their access to
files/folders, by specifying admin users = root on the share definitions.
More information about the samba