[Samba] (no subject)

Les Bell lesbell at lesbell.com.au
Thu May 20 23:53:04 GMT 2004


"John H Terpstra" <samba at primastasys.com> wrote:

>>
On the UNIX system addition/change of user accounts requires UID=0. If you
want your Administrator to be able
to manage user accounts UID=0 is a must. Also, the RID for Administrator
must be 500 for the account to have
admin privileges in Windows.
<<

OK. The Linux box is at a school and administered by novices, so I've set
up user account management via Webmin, with synchronization of the Samba
accounts. This is working well. However, in order for Administrator to be
able to log in on the domain, I had to create an "Administrator" account,
hence the one with an ID of 604. Same on my office network, but here I've
created a group, smbadmins, added Administrator and myself into it, and
then added

domain admin group = @smbadmins (following some online docs, but testparm
doesn't like this, so I'll remove it)
admin users = @smbadmins
printer admin = @smbadmins

I also upgraded from 2.2 to 3.04 and this seems to be a lot happier when
running USRMGR.EXE, etc.

>>
If you are using and LDAP backend it is imperative that all UIDs and RIDs
must be unambiguous. So if you have a
root account and an Administrator account - you have introduced ambiguity.
It is best to use the 'root' account
in place of the NT Administrator. Just make sure that the RID for the root
account is 500.
<<

No LDAP (yet). My big questions, then, are:

1. How do I set the RID for the Administrator or root account? Currently,
the SID is User SID:
S-1-5-21-754926933-3079649434-3472319497-2208. I've tried editing it with:

pdbedit -r -u Administrator -U S-1-5-21-754926933-3079649434-3472319497-500

but it doesn't change (and -d4 doesn't produce any useful debugging info,
AFAICS). And of course the other setup is on Samba 2.2, which doesn't have
pdbedit. How can the RID be changed there?

2. If we don't need to use USEMGR.EXE for account management, is there any
other reason why the Administrator account needs UID/GUD = 0? I'm nervous
about using the root password for domain & workstation administration
tasks.

Thanks,

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]




More information about the samba mailing list