[Samba] Re: Domain Admin Group privaleges

Bill MacAllister post+samba at macallister.grass-valley.ca.us
Sun May 2 08:34:22 GMT 2004

I had this problem was well trying to join XP machines to the domain.  One 
admin user was able to add machines and another was not.  I discovered that 
I had a left over from Samba 2.x in my smb.conf

 admin users = mac

Yup, you guessed it, mac was the only user that could add machines to the 
domain.  Commenting out this line and mac could not longer add machines to 
the domain.  This is really puzzling to me because I am using an ldap 
backend with the following mappings:

FS Web (S-1-5-21-2177951985-844638623-828914669-2259) -> fs-web
FS Users (S-1-5-21-2177951985-844638623-828914669-513) -> fs-users
FS Admin (S-1-5-21-2177951985-844638623-828914669-2260) -> fs-admin
Domain Admins (S-1-5-21-2177951985-844638623-828914669-512) -> DomainAdmins
Domain Guests (S-1-5-21-2177951985-844638623-828914669-514) -> nobody
FS Teachers (S-1-5-21-2177951985-844638623-828914669-2258) -> fs-teachers

But, just making sure that mac was in the DomainAdmins group was not 
enought to get admin privileges in the Windows environment.

This is a recent 3.02 installation.  I really would prefer that this was in 
LDAP, so it anyone can point me at what I am doing wrong that would be 


| Bill MacAllister, System Manager
| Nevada City School District
| 530-265-1857

--On Monday, April 26, 2004 02:30:49 PM -0400 Greg Kuchyt 
<kuchyt25 at potsdam.edu> wrote:

> I thought this was the problem also, but adding the user to the root
> group did not yield any change. I'm kind of baffled on this one.
>> It sounds as it has to do with the Linux privileges.  Try this:
>> When you create a Samba user, the equivalent account is created in the
>> /etc/passwd file.   Add the Linux user account to the Linux root group.
>> This will give the user root previliges.  Here is some info. from the
>> Samba How To:
>> There is no safe way to provide access on a UNIX/Linux system without
>> providing root level privilege. Provision of root privileges can be done
>> wither by logging onto the Domain as the user root, or by permitting
>> particular users to use a UNIX account that is a member of the UNIX group
>> that has a GID=0 as the primary group in the /etc/passwd database. Users
>> of such accounts can use tools like the NT4 Domain User Manager, and the
>> NT4 Domain Server Manager to manage user and group accounts as well as
>> Domain Member server and client accounts. This level of privilege is
>> also needed to manage share level ACLs.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list