[Samba] Re: Group membership

Mon Oct 18 07:54:33 GMT 2004

Wow! I think this is the best post I've seen on any mailinglist -ever- !

A minor comment/question:
> 3. If you want the Domain Admins group to be able to manage your Samba servers 
> you must ensure that this group, or its members, somehow maps to the user 
> 'root' or the group 'root' (GID=0, on some systems this maps to the group 
> 'wheel').

So to add / remove users and join domains the vital part is not to have
uid0==0 but gid == 0? 

I've always thought that the only way to do this was to have a user with
uid 0. 

Geza Gemes: If you just want a set of users to add/remove users without
beeing root when doing other tasks, use LDAP. 

Tarjei

> 
> You can either map "Domain Admins" to the GID=0 group on the UNIX system, or 
> as explained below, you can do this using the "admin users" parameter in the 
> smb.conf global section.
> 
> You have choice in how UNIX admin capability is provided for domain users. 
> There are no right or wrong choices - but there are solutions that do or do 
> not work. If you fail to think through the chain of rights and privileges as 
> a user passes from a DMC to the domain then through to Samba and the UNIX OS 
> that hosts it, you will find the result frustrating. But if you can figure 
> out the simple steps from one point to another the solution is simple and 
> frustration will be avoided.
> 
> If someone would care to review the appropriate chapters of the 
> Samba-HOWTO-Collection and suggest updates I will be happy to incorporate 
> them into the document.
> 
> - John T.
> 
> 
> On Sunday 17 October 2004 05:29, Gémes Géza wrote:
> > Hi everybody,
> >
> > > Ok, the logic goes like this...
> > >
> > > If you want to use root for Domain administration purposes it has to
> > > be in the Domain user database.
> > > If it's a Domain user its primary group should be a Domain group.
> > > All Domain groups in Samba are mappings from UNIX groups into SIDs.
> > > If mapping for a particular gid is not present it will be created
> > > automatically using arithmetic approach.
> > >
> > > Therefore, if you want your root user to keep its primary gid but to
> > > be associated with a Domain group 'Domain Admins' the best approach
> > > will be to map this Domain group into UNIX group 'root' instead of
> > > creating additional UNIX group 'Domain Admins'.
> > >
> > > Another approach will be to use some other user to administer your
> > > Domain and put it into 'admin users' list in smb.conf then you will be
> > > free to choose any primary group for it you like just keep the
> > > consistency between gidNumber and sambaPrimaryGroupSID. All users in
> > > the 'admin users' list are forced into been root when they access
> > > Samba so you will have the same control you would have with root.
> >
> > Some things to note here:
> > admin users is not generally the same as domain admins.
> > Members of the domain admin group will have administrator privileges on
> > a Windows (NT based) workstation, but no special rights on the Samba
> > shares, nor the right to manipulate the users, groups, or machines,
> > databases.
> > Members of the admin users will be able to act as root to Samba (all
> > privileges), but not necessary to be administrators, for the Windows
> > workstations, only if they are also members of the Domain Admins group.
> >
> > I steel have some things not very clear to me: can I have a group added
> > to admin users in the global section, while in the share definitions
> > specify another admin users (e.g. admin users = root), limiting in this
> > way their access to other users data, while giving them the possibility,
> > to join machines to the domain?
> >
> > > I don't know why this is not documented... I don't read documentation
> > > that often.. I do know though that Samba team welcomes all suggestions
> > > to make documentation better. If you know which part of the
> > > documentation got you confused - let them know how to make it more clear.
> > >
> > > Hope it helps,
> > > Igor
> >
> > Thanks,
> >
> > Geza
> 
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
> 
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> OpenLDAP by Example, ISBN: 0131488732
> Other books in production.
-- 
Tarjei Huse <tarjei at nu.no>