[Samba] Domain Admins don't have enough privileges

Bostjan Müller neonatus at gmail.com
Mon Dec 27 17:55:22 GMT 2004

On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza <geza at kzsdabas.sulinet.hu> wrote:
> Bostjan Müller írta:
> >Hi everyone,
> >
> >I am trying to create a couple users (not root) who would be in Domain
> >Admins group, and would have the permissions to add machine to domain.
> >
> >I can confirm that locally (I used sudo without password) as any of
> >the users of ntadm group, and each and everyone of them can add a user
> >to the passwd file.
> >They are also local admins on NT/200X/XP machines when they log in on
> >windows side, but neither of them can add a machine to domain via the
> >windows GUI.
> >The only user that can do that is the user root.
> >
> >I have googled a lot, and all I could find was the user has to be
> >Domain Admin, and he has to have the unix rights to add the machine
> >account.
> >
> >Can someone please explain to me what else has to be done for this to work?
> >
> >THX in advance,
> >Bostjan
> >
> >
> By design Windows workstations treat users belonging to the Domain
> Admins group as Adminstrators (the Domain Admins group become member of
> the local Administrators group when the workstation joins the domain).
> As Samba needs a posix account for each samba account (even for
> workstations), and on *nix only root (uid=0) can create users
> (accounts), you need a way to tell samba to threat some users as root.
> This is the reason of existance for the admin users smb.conf parameter.
> Specify admin users = @domainjoiners in the global section, and members
> of the domainjoiners group will be able to create accounts, and do all
> the nasty things allowed only to root (add/remove/modify shares/users)
> (if you configure them in smb.conf). You can limit their access to
> files/folders, by specifying admin users = root on the share definitions.
> Good Luck!
> Geza

Thx, but I also tried that, and the problem was, that if I added the
users to root line of smbusers:
root = user1, user2, user3

They would all map to user root, even using the same password as root
(not their own) to authenticate, which is of no use to me, because I
want to have users that do NOT have the root password.

buhdej evridej

More information about the samba mailing list