[Samba] Re: Group membership

Mon Oct 18 15:40:30 GMT 2004

Tarjei Huse írta:

>Wow! I think this is the best post I've seen on any mailinglist -ever- !
>
>A minor comment/question:
>  
>
>>3. If you want the Domain Admins group to be able to manage your Samba servers 
>>you must ensure that this group, or its members, somehow maps to the user 
>>'root' or the group 'root' (GID=0, on some systems this maps to the group 
>>'wheel').
>>    
>>
>
>So to add / remove users and join domains the vital part is not to have
>uid0==0 but gid == 0? 
>
>I've always thought that the only way to do this was to have a user with
>uid 0. 
>
>Geza Gemes: If you just want a set of users to add/remove users without
>beeing root when doing other tasks, use LDAP. 
>
>Tarjei
>
>
>  
>
Sorry, but IMHO you are wrong at this point joining a machine to a 
domain with on the fly machine account creation relies on the fact of 
being root (uid=0), anyway I'm using LDAP from some years, and manage 
users and groups via scripts, and gived (via sudo) that right to the 
mentioned group.

Thanks,

Geza Gemes

>>You can either map "Domain Admins" to the GID=0 group on the UNIX system, or 
>>as explained below, you can do this using the "admin users" parameter in the 
>>smb.conf global section.
>>
>>You have choice in how UNIX admin capability is provided for domain users. 
>>There are no right or wrong choices - but there are solutions that do or do 
>>not work. If you fail to think through the chain of rights and privileges as 
>>a user passes from a DMC to the domain then through to Samba and the UNIX OS 
>>that hosts it, you will find the result frustrating. But if you can figure 
>>out the simple steps from one point to another the solution is simple and 
>>frustration will be avoided.
>>
>>If someone would care to review the appropriate chapters of the 
>>Samba-HOWTO-Collection and suggest updates I will be happy to incorporate 
>>them into the document.
>>
>>- John T.
>>
>>
>>On Sunday 17 October 2004 05:29, Gémes Géza wrote:
>>    
>>
>>>Hi everybody,
>>>
>>>      
>>>
>>>>Ok, the logic goes like this...
>>>>
>>>>If you want to use root for Domain administration purposes it has to
>>>>be in the Domain user database.
>>>>If it's a Domain user its primary group should be a Domain group.
>>>>All Domain groups in Samba are mappings from UNIX groups into SIDs.
>>>>If mapping for a particular gid is not present it will be created
>>>>automatically using arithmetic approach.
>>>>
>>>>Therefore, if you want your root user to keep its primary gid but to
>>>>be associated with a Domain group 'Domain Admins' the best approach
>>>>will be to map this Domain group into UNIX group 'root' instead of
>>>>creating additional UNIX group 'Domain Admins'.
>>>>
>>>>Another approach will be to use some other user to administer your
>>>>Domain and put it into 'admin users' list in smb.conf then you will be
>>>>free to choose any primary group for it you like just keep the
>>>>consistency between gidNumber and sambaPrimaryGroupSID. All users in
>>>>the 'admin users' list are forced into been root when they access
>>>>Samba so you will have the same control you would have with root.
>>>>        
>>>>
>>>Some things to note here:
>>>admin users is not generally the same as domain admins.
>>>Members of the domain admin group will have administrator privileges on
>>>a Windows (NT based) workstation, but no special rights on the Samba
>>>shares, nor the right to manipulate the users, groups, or machines,
>>>databases.
>>>Members of the admin users will be able to act as root to Samba (all
>>>privileges), but not necessary to be administrators, for the Windows
>>>workstations, only if they are also members of the Domain Admins group.
>>>
>>>I steel have some things not very clear to me: can I have a group added
>>>to admin users in the global section, while in the share definitions
>>>specify another admin users (e.g. admin users = root), limiting in this
>>>way their access to other users data, while giving them the possibility,
>>>to join machines to the domain?
>>>
>>>      
>>>
>>>>I don't know why this is not documented... I don't read documentation
>>>>that often.. I do know though that Samba team welcomes all suggestions
>>>>to make documentation better. If you know which part of the
>>>>documentation got you confused - let them know how to make it more clear.
>>>>
>>>>Hope it helps,
>>>>Igor
>>>>        
>>>>
>>>Thanks,
>>>
>>>Geza
>>>      
>>>
>>-- 
>>John H Terpstra
>>Samba-Team Member
>>Phone: +1 (650) 580-8668
>>
>>Author:
>>The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
>>Samba-3 by Example, ISBN: 0131472216
>>Hardening Linux, ISBN: 0072254971
>>OpenLDAP by Example, ISBN: 0131488732
>>Other books in production.
>>    
>>