[Samba] Documentation bug? domadm privileges

Karel Kulhavy clock at atrey.karlin.mff.cuni.cz
Mon Feb 16 13:43:39 GMT 2004 

Hello

I have been solving a problem how to make a nonroot user able to administer
the domain (add users, groups, modify them etc.) from Windows workstation
using usrmgr.exe

It looks like what is stated in Samba HOWTO collection as prerequisites
is not enough.

First I found Chapter 12 cxl "How to make Samba PDC users member of the Domain
Admins group" - made the nonroot user member of domadm group, added domadm
unix group and groupmapped Domain Admins NT group to domadm UNIX group.

This didn't work. I suggest changing "steps describe how to make Samba PDC
users members of the Domain Admins" to "steps describe how to make Samba
PDC users members of the Domain Admins (note that this won't assure same
functionality as being a Domain Admin on an NT4 PDC, for further details,
see 12.2.1 Important Administrative Information (page cxli) (why the heck
was the numbering changed from Arabic to Roman numerals?)".

Then I searched further for the term 'Admins' in the Samba HOWTO Collection pdf
and found 12.2.1 Important Administrative Information. It states among others:
"[...]adding users or groups, requires root level privilege.[...]Provision
of root privileges can be done [...] by permitting [...] users to use a UNIX
account that is a member of the UNIX group that has a GID=0 as the primary group in
the /etc/passwd database".

So I made the non-root user's primary group root (GID=0) and it still didn't
work. I tried to restart samba. Still didn't work. Logout user from Windows
and login back. Still didn't work. Restart samba again. Still didn't work.

-> Is there a place in the HOWTO that describes how to determine what sequence
of reboots, logouts, domain removal and reattachments and Samba restarts
is necessary to assure integrity of any given operation when dealing with Samba?

Then I discovered another place in Samba HOWTO that contains example:
Section 31.2. Migration Options cdxv (why the heck were the Arabic numerals
replaced with Roman? Comparison of two Roman numeral takes about a minute
to me and decreases the speed of manual binary search for a given page by
several orders of magnitude)

5. Now assign each of the UNIX groups to NT groups:
[...]
# First assign well known domain global groups
net groupmap modify ntgroup="Domain Admins" unixgroup=root rid=512

This didn't work:
oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root
rid=512
Bad option: rid=512
However I got the idea behind the command and tried:
net groupmap modify ntgroup="Domain Admins" unixgroup=root
oberon root # net groupmap modify ntgroup="Domain Admins" unixgroup=root       
Updated mapping entry for Domain Admins
oberon root # net groupmap list
[...]
Domain Admins (S-1-5-21-3784068046-1792391053-1311982112-512) -> root

Suggestion: replace
"net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root rid=512"
in the Samba HOWTO Collection with
"net groupmap modify ntgroup=\"Domain Admins\" unixgroup=root"

After that I reloaded Samba and tried the running usrmgr.exe: Invalid handle.
Exited the usrmgr.exe and restarted usrmgr.exe (without logout) and it --
MIRACULOUSLY WORKED!

Suggestion: replace "Users of such accounts can use tools like the NT4 Domain
User Management" with "Users of such accounts cannot still use tools like the
NT4 Domain User Management because having root as primary group is not enough.
However, if the Domain Admins group is in addition mapped to root group, this
task becomes possible" into chapter 12.2.1 Important Administrative Information
(page cxli) 

Cl<

More information about the samba mailing list