[Samba] Domain Admins don't have enough privileges

Gémes Géza geza at kzsdabas.sulinet.hu
Mon Dec 27 18:34:29 GMT 2004 

Bostjan Müller írta:

>On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza <geza at kzsdabas.sulinet.hu> wrote:
>  
>
>>Bostjan Müller írta:
>>
>>    
>>
>>>Hi everyone,
>>>
>>>I am trying to create a couple users (not root) who would be in Domain
>>>Admins group, and would have the permissions to add machine to domain.
>>>
>>>I can confirm that locally (I used sudo without password) as any of
>>>the users of ntadm group, and each and everyone of them can add a user
>>>to the passwd file.
>>>They are also local admins on NT/200X/XP machines when they log in on
>>>windows side, but neither of them can add a machine to domain via the
>>>windows GUI.
>>>The only user that can do that is the user root.
>>>
>>>I have googled a lot, and all I could find was the user has to be
>>>Domain Admin, and he has to have the unix rights to add the machine
>>>account.
>>>
>>>Can someone please explain to me what else has to be done for this to work?
>>>
>>>THX in advance,
>>>Bostjan
>>>
>>>
>>>      
>>>
>>By design Windows workstations treat users belonging to the Domain
>>Admins group as Adminstrators (the Domain Admins group become member of
>>the local Administrators group when the workstation joins the domain).
>>As Samba needs a posix account for each samba account (even for
>>workstations), and on *nix only root (uid=0) can create users
>>(accounts), you need a way to tell samba to threat some users as root.
>>This is the reason of existance for the admin users smb.conf parameter.
>>Specify admin users = @domainjoiners in the global section, and members
>>of the domainjoiners group will be able to create accounts, and do all
>>the nasty things allowed only to root (add/remove/modify shares/users)
>>(if you configure them in smb.conf). You can limit their access to
>>files/folders, by specifying admin users = root on the share definitions.
>>
>>Good Luck!
>>
>>Geza
>>
>>    
>>
>
>Thx, but I also tried that, and the problem was, that if I added the
>users to root line of smbusers:
>root = user1, user2, user3
>
>They would all map to user root, even using the same password as root
>(not their own) to authenticate, which is of no use to me, because I
>want to have users that do NOT have the root password.
>
>--
>buhdej evridej
>  
>
You don't need to do anything with the smbusers file!
Just specify:
admin users = user1, user2, user3
or better:
admin users = @somegroup

in the [Global] section of your smb.conf

and if you are paranoid (like me ;-) )
specify
admin users = root
on every share definition

Cheers,

Geza

More information about the samba mailing list