[Samba] Domain Admins don't have enough privileges
Ryan Novosielski
novosirj at umdnj.edu
Tue Dec 28 19:38:39 GMT 2004
This did not work this way for Samba 2.2.x -- it was not good enough to
use "admin users =" to my knowledge. Has this changed, or was I mistaken
to begin with?
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III
|$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
On Mon, 27 Dec 2004, Gémes Géza wrote:
> Bostjan Müller írta:
>
>> On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza <geza at kzsdabas.sulinet.hu>
>> wrote:
>>
>>> Bostjan Müller írta:
>>>
>>>
>>>> Hi everyone,
>>>>
>>>> I am trying to create a couple users (not root) who would be in Domain
>>>> Admins group, and would have the permissions to add machine to domain.
>>>>
>>>> I can confirm that locally (I used sudo without password) as any of
>>>> the users of ntadm group, and each and everyone of them can add a user
>>>> to the passwd file.
>>>> They are also local admins on NT/200X/XP machines when they log in on
>>>> windows side, but neither of them can add a machine to domain via the
>>>> windows GUI.
>>>> The only user that can do that is the user root.
>>>>
>>>> I have googled a lot, and all I could find was the user has to be
>>>> Domain Admin, and he has to have the unix rights to add the machine
>>>> account.
>>>>
>>>> Can someone please explain to me what else has to be done for this to
>>>> work?
>>>>
>>>> THX in advance,
>>>> Bostjan
>>>>
>>>>
>>>>
>>> By design Windows workstations treat users belonging to the Domain
>>> Admins group as Adminstrators (the Domain Admins group become member of
>>> the local Administrators group when the workstation joins the domain).
>>> As Samba needs a posix account for each samba account (even for
>>> workstations), and on *nix only root (uid=0) can create users
>>> (accounts), you need a way to tell samba to threat some users as root.
>>> This is the reason of existance for the admin users smb.conf parameter.
>>> Specify admin users = @domainjoiners in the global section, and members
>>> of the domainjoiners group will be able to create accounts, and do all
>>> the nasty things allowed only to root (add/remove/modify shares/users)
>>> (if you configure them in smb.conf). You can limit their access to
>>> files/folders, by specifying admin users = root on the share definitions.
>>>
>>> Good Luck!
>>>
>>> Geza
>>>
>>>
>>
>> Thx, but I also tried that, and the problem was, that if I added the
>> users to root line of smbusers:
>> root = user1, user2, user3
>>
>> They would all map to user root, even using the same password as root
>> (not their own) to authenticate, which is of no use to me, because I
>> want to have users that do NOT have the root password.
>>
>> --
>> buhdej evridej
>>
> You don't need to do anything with the smbusers file!
> Just specify:
> admin users = user1, user2, user3
> or better:
> admin users = @somegroup
>
> in the [Global] section of your smb.conf
>
> and if you are paranoid (like me ;-) )
> specify
> admin users = root
> on every share definition
>
> Cheers,
>
> Geza
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list