[Samba] Adminstrator Domain SID?

Doug Campbell doug at bpta.net
Wed Mar 30 07:32:16 GMT 2005

> On Tuesday 29 March 2005 21:57, Doug Campbell wrote:
> > In the Samba How-To Chapter 13 it says:
> >
> > "
> > The Administrator Domain SID
> > Please note that when configured as a DC, it is now required that an
> > account in the server's passdb backend be set to the domain SID of the
> > default Administrator account. To obtain the domain SID on a
> Samba DC, run
> > the following command:
> >
> > root#  net getlocalsid
> > SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
> >
> > You may assign the Domain Administrator rid to an account using
> the pdbedit
> > command as shown here:
> >
> > root#  pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500
> -u root -r
> > "
> >
> >
> > Question:  Is this information still valid after samba 3.0.11?
> I didn't do
> > this but things seem to be working fine.  If the information is still
> > valid, what would not having it affect?
> Yes, it is!
> OK. But what is the name of your administrator account? What is
> the SID for
> this account?

I currently only have three user accounts named: Administrator, dcampbell
and nobody

Both Administrator and dcampbell are in the Domain Admins group.

The SIDs are as follows:

Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996
dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006
nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998

Domain Admins SID:  S-1-5-21-52543480-3766940008-3731351578-512

> You do realize, I hope, that the RID=500 means the account is the
> Administrator for Windows clients. Any other RID will be seen by
> the Windows
> workstation (client) as an account other than the real Administrator.

Doesn't the fact that these accounts are in the Domain Admins group make
them "real" Administrators too?  I seem to have Administrative access to my
local machine just by being a member of teh Domain Admins group.

Just now, I went ahead and set the Administrators account RID to 500 and
removed it entirely for the Domain Admins group.  I wasn't able to use it
anymore to add a machine.  I expected this to be the case since being in the
Domain Admins group and having assigned it the new SE...Privilege settings
was what was allowing it to administrate the domain.

> What more must we do to clarify the wording so that everyone
> clearly gets the
> message? What is not clear in the documentation?

I guess for me it would help to know what doing this step is supposed to
accomplish.  If I can understand what the purpose of this is, I might be
able to help in clarifying the wording.

Could you explain this in a little more detail, please?



More information about the samba mailing list