[Samba] Re: Domain Admin Group privaleges
Bill MacAllister
post+samba at macallister.grass-valley.ca.us
Sun May 2 08:34:22 GMT 2004
I had this problem was well trying to join XP machines to the domain. One
admin user was able to add machines and another was not. I discovered that
I had a left over from Samba 2.x in my smb.conf
admin users = mac
Yup, you guessed it, mac was the only user that could add machines to the
domain. Commenting out this line and mac could not longer add machines to
the domain. This is really puzzling to me because I am using an ldap
backend with the following mappings:
FS Web (S-1-5-21-2177951985-844638623-828914669-2259) -> fs-web
FS Users (S-1-5-21-2177951985-844638623-828914669-513) -> fs-users
FS Admin (S-1-5-21-2177951985-844638623-828914669-2260) -> fs-admin
Domain Admins (S-1-5-21-2177951985-844638623-828914669-512) -> DomainAdmins
Domain Guests (S-1-5-21-2177951985-844638623-828914669-514) -> nobody
FS Teachers (S-1-5-21-2177951985-844638623-828914669-2258) -> fs-teachers
But, just making sure that mac was in the DomainAdmins group was not
enought to get admin privileges in the Windows environment.
This is a recent 3.02 installation. I really would prefer that this was in
LDAP, so it anyone can point me at what I am doing wrong that would be
great.
Bill
+----------------------------------------------------------
| Bill MacAllister, System Manager
| Nevada City School District
| 530-265-1857
--On Monday, April 26, 2004 02:30:49 PM -0400 Greg Kuchyt
<kuchyt25 at potsdam.edu> wrote:
> I thought this was the problem also, but adding the user to the root
> group did not yield any change. I'm kind of baffled on this one.
>
>> It sounds as it has to do with the Linux privileges. Try this:
>>
>> When you create a Samba user, the equivalent account is created in the
>> /etc/passwd file. Add the Linux user account to the Linux root group.
>> This will give the user root previliges. Here is some info. from the
>> Samba How To:
>>
>> There is no safe way to provide access on a UNIX/Linux system without
>> providing root level privilege. Provision of root privileges can be done
>> wither by logging onto the Domain as the user root, or by permitting
>> particular users to use a UNIX account that is a member of the UNIX group
>> that has a GID=0 as the primary group in the /etc/passwd database. Users
>> of such accounts can use tools like the NT4 Domain User Manager, and the
>> NT4 Domain Server Manager to manage user and group accounts as well as
>> Domain Member server and client accounts. This level of privilege is
>> also needed to manage share level ACLs.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list