[Samba] Re: Group membership
Gémes Géza
geza at kzsdabas.sulinet.hu
Sun Oct 17 11:29:11 GMT 2004
Hi everybody,
> Ok, the logic goes like this...
>
> If you want to use root for Domain administration purposes it has to
> be in the Domain user database.
> If it's a Domain user its primary group should be a Domain group.
> All Domain groups in Samba are mappings from UNIX groups into SIDs.
> If mapping for a particular gid is not present it will be created
> automatically using arithmetic approach.
>
> Therefore, if you want your root user to keep its primary gid but to
> be associated with a Domain group 'Domain Admins' the best approach
> will be to map this Domain group into UNIX group 'root' instead of
> creating additional UNIX group 'Domain Admins'.
>
> Another approach will be to use some other user to administer your
> Domain and put it into 'admin users' list in smb.conf then you will be
> free to choose any primary group for it you like just keep the
> consistency between gidNumber and sambaPrimaryGroupSID. All users in
> the 'admin users' list are forced into been root when they access
> Samba so you will have the same control you would have with root.
>
Some things to note here:
admin users is not generally the same as domain admins.
Members of the domain admin group will have administrator privileges on
a Windows (NT based) workstation, but no special rights on the Samba
shares, nor the right to manipulate the users, groups, or machines,
databases.
Members of the admin users will be able to act as root to Samba (all
privileges), but not necessary to be administrators, for the Windows
workstations, only if they are also members of the Domain Admins group.
I steel have some things not very clear to me: can I have a group added
to admin users in the global section, while in the share definitions
specify another admin users (e.g. admin users = root), limiting in this
way their access to other users data, while giving them the possibility,
to join machines to the domain?
> I don't know why this is not documented... I don't read documentation
> that often.. I do know though that Samba team welcomes all suggestions
> to make documentation better. If you know which part of the
> documentation got you confused - let them know how to make it more clear.
>
> Hope it helps,
> Igor
>
>
Thanks,
Geza
More information about the samba
mailing list