[Samba] securing root to administrator mapping

[David Bear]

I'm just starting to convert to using samba 3 --. Untill now, my use
of samba has been pretty simple. I've not used it as a DC and I've use
passthrough auth.. I know some say its ugly (and it can be) but its
made my life easier most of the time.

Now I'm reading through the samba docs, howto's, etc and I am still
very uncomfortable mapping the windows Administrator account to root.
I know samba will need to change some things that only root can do. I
was hoping for something that I could do with sudo. Could I create and
account called 'joeAdmin', put him in sudoers, then put all the
commands that joeAdmin would need to run in the sudoers config? That
seems a more structure way to secure this.

Secondly, we have possibly more than one administrator account on a
machine. Can we map multiple windows user names to the root account in
idmap?

I'm thinking something like this..

create a group

jAdminGroup, joeAdmin, JaneAdmin

in sodoers.conf 
jAdminGroup ALL=/passwordchatprograms/addprinterprograms NOPASSWD: ALL

then in smbusermap file 
root = joeAdmin janeAdmin

Does this sound reasonable?
-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"