[Samba] Domain Admins don't have enough privileges

Ryan Novosielski novosirj at umdnj.edu
Tue Dec 28 19:38:39 GMT 2004 

This did not work this way for Samba 2.2.x -- it was not good enough to 
use "admin users =" to my knowledge. Has this changed, or was I mistaken 
to begin with?

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

On Mon, 27 Dec 2004, Gémes Géza wrote:

> Bostjan Müller írta:
>
>> On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza <geza at kzsdabas.sulinet.hu> 
>> wrote:
>> 
>>> Bostjan Müller írta:
>>> 
>>> 
>>>> Hi everyone,
>>>> 
>>>> I am trying to create a couple users (not root) who would be in Domain
>>>> Admins group, and would have the permissions to add machine to domain.
>>>> 
>>>> I can confirm that locally (I used sudo without password) as any of
>>>> the users of ntadm group, and each and everyone of them can add a user
>>>> to the passwd file.
>>>> They are also local admins on NT/200X/XP machines when they log in on
>>>> windows side, but neither of them can add a machine to domain via the
>>>> windows GUI.
>>>> The only user that can do that is the user root.
>>>> 
>>>> I have googled a lot, and all I could find was the user has to be
>>>> Domain Admin, and he has to have the unix rights to add the machine
>>>> account.
>>>> 
>>>> Can someone please explain to me what else has to be done for this to 
>>>> work?
>>>> 
>>>> THX in advance,
>>>> Bostjan
>>>> 
>>>> 
>>>> 
>>> By design Windows workstations treat users belonging to the Domain
>>> Admins group as Adminstrators (the Domain Admins group become member of
>>> the local Administrators group when the workstation joins the domain).
>>> As Samba needs a posix account for each samba account (even for
>>> workstations), and on *nix only root (uid=0) can create users
>>> (accounts), you need a way to tell samba to threat some users as root.
>>> This is the reason of existance for the admin users smb.conf parameter.
>>> Specify admin users = @domainjoiners in the global section, and members
>>> of the domainjoiners group will be able to create accounts, and do all
>>> the nasty things allowed only to root (add/remove/modify shares/users)
>>> (if you configure them in smb.conf). You can limit their access to
>>> files/folders, by specifying admin users = root on the share definitions.
>>> 
>>> Good Luck!
>>> 
>>> Geza
>>> 
>>> 
>> 
>> Thx, but I also tried that, and the problem was, that if I added the
>> users to root line of smbusers:
>> root = user1, user2, user3
>> 
>> They would all map to user root, even using the same password as root
>> (not their own) to authenticate, which is of no use to me, because I
>> want to have users that do NOT have the root password.
>> 
>> --
>> buhdej evridej
>> 
> You don't need to do anything with the smbusers file!
> Just specify:
> admin users = user1, user2, user3
> or better:
> admin users = @somegroup
>
> in the [Global] section of your smb.conf
>
> and if you are paranoid (like me ;-) )
> specify
> admin users = root
> on every share definition
>
> Cheers,
>
> Geza
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list