[Samba] How Is Administrator Treated?

John H Terpstra samba at primastasys.com
Thu May 20 12:05:57 GMT 2004 

Les,

On the UNIX system addition/change of user accounts requires UID=0. If you want your Administrator to be able
to manage user accounts UID=0 is a must. Also, the RID for Administrator must be 500 for the account to have
admin privileges in Windows.

If you are using and LDAP backend it is imperative that all UIDs and RIDs must be unambiguous. So if you have a
root account and an Administrator account - you have introduced ambiguity. It is best to use the 'root' account
in place of the NT Administrator. Just make sure that the RID for the root account is 500.

- John T.
---
John H Terpstra
Samba-Team
email: jht at samba.org


> -------- Original Message --------
> Subject: [Samba] How Is Administrator Treated?
> From: "Les Bell" <lesbell at lesbell.com.au>
> Date: Wed, May 19, 2004 9:34 pm
> To: samba at lists.samba.org
>
> I have a couple of Samba 2.2 servers, in different locations, configured
> as
> NT Domain Controllers, but I'm experiencing some problems with logging
> on
> to the domains as Administrator in order to perform some
> administration
> tasks, such as configuring antivirus software on workstations. I won't
> go
> into the details here; I think the basic problem is my lack of
> understanding of how the Administrator account is treated. Ordinary
> user
> accounts work fine as far as I can see, but then, ordinary users
> shouldn't
> be able to do a bunch of things, anyway.
>
> First: I created an Administrator account in Linux, and it wound up
> (here)
> with a UID/GID of 604. That's just an ordinary user ID, so what makes
> it
> special as far as the domain is concerned? Should the Administrator
> account
> have a UID/GID of 0? If I try to run USRMGR.EXE or SRVMGR.EXE I can
> see
> things, but can't change them ("Access is denied").
>
> Second, what about Windows SID's? Administrator should be
> S-1-5-domain-500;
> but if I log on as Administrator at an NT or Win2K workstation and look
> in
> the registry, I can't see that SID in HKEY_USERS. How is this set up in
> the
> Adminstrator account profile (roaming profiles are in use)?
>
> I'm pretty sure that once I "grok" this stuff all the other minor
> system
> management problems will fall into place. Thanks in advance for any
> responses.
>
> Best,
>
> --- Les Bell, RHCE, CISSP
> [http://www.lesbell.com.au]
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list