[Samba] Domain Admins don't have enough privileges

Gémes Géza geza at kzsdabas.sulinet.hu
Tue Dec 28 20:45:28 GMT 2004 

Ryan Novosielski írta:

> This did not work this way for Samba 2.2.x -- it was not good enough 
> to use "admin users =" to my knowledge. Has this changed, or was I 
> mistaken to begin with?
>
> ---- _  _ _  _ ___  _  _  _
> |Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
> |$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
> \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
>
> On Mon, 27 Dec 2004, Gémes Géza wrote:
>
>> Bostjan Müller írta:
>>
>>> On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza 
>>> <geza at kzsdabas.sulinet.hu> wrote:
>>>
>>>> Bostjan Müller írta:
>>>>
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I am trying to create a couple users (not root) who would be in 
>>>>> Domain
>>>>> Admins group, and would have the permissions to add machine to 
>>>>> domain.
>>>>>
>>>>> I can confirm that locally (I used sudo without password) as any of
>>>>> the users of ntadm group, and each and everyone of them can add a 
>>>>> user
>>>>> to the passwd file.
>>>>> They are also local admins on NT/200X/XP machines when they log in on
>>>>> windows side, but neither of them can add a machine to domain via the
>>>>> windows GUI.
>>>>> The only user that can do that is the user root.
>>>>>
>>>>> I have googled a lot, and all I could find was the user has to be
>>>>> Domain Admin, and he has to have the unix rights to add the machine
>>>>> account.
>>>>>
>>>>> Can someone please explain to me what else has to be done for this 
>>>>> to work?
>>>>>
>>>>> THX in advance,
>>>>> Bostjan
>>>>>
>>>>>
>>>>>
>>>> By design Windows workstations treat users belonging to the Domain
>>>> Admins group as Adminstrators (the Domain Admins group become 
>>>> member of
>>>> the local Administrators group when the workstation joins the domain).
>>>> As Samba needs a posix account for each samba account (even for
>>>> workstations), and on *nix only root (uid=0) can create users
>>>> (accounts), you need a way to tell samba to threat some users as root.
>>>> This is the reason of existance for the admin users smb.conf 
>>>> parameter.
>>>> Specify admin users = @domainjoiners in the global section, and 
>>>> members
>>>> of the domainjoiners group will be able to create accounts, and do all
>>>> the nasty things allowed only to root (add/remove/modify shares/users)
>>>> (if you configure them in smb.conf). You can limit their access to
>>>> files/folders, by specifying admin users = root on the share 
>>>> definitions.
>>>>
>>>> Good Luck!
>>>>
>>>> Geza
>>>>
>>>>
>>>
>>> Thx, but I also tried that, and the problem was, that if I added the
>>> users to root line of smbusers:
>>> root = user1, user2, user3
>>>
>>> They would all map to user root, even using the same password as root
>>> (not their own) to authenticate, which is of no use to me, because I
>>> want to have users that do NOT have the root password.
>>>
>>> -- 
>>> buhdej evridej
>>>
>> You don't need to do anything with the smbusers file!
>> Just specify:
>> admin users = user1, user2, user3
>> or better:
>> admin users = @somegroup
>>
>> in the [Global] section of your smb.conf
>>
>> and if you are paranoid (like me ;-) )
>> specify
>> admin users = root
>> on every share definition
>>
>> Cheers,
>>
>> Geza
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
That setup works fine for me (last time checked with 3.0.8 (it was the 
then current version, when I last joined a w2k box to the domain))

Cheers,

Geza

More information about the samba mailing list