[Samba] Re: securing root to administrator mapping

Michal Kurowski mkur at poczta.gazeta.pl
Thu May 19 18:55:42 GMT 2005

David Bear [David.Bear at asu.edu] wrote:
> I'm just starting to convert to using samba 3 --. Untill now, my use
> of samba has been pretty simple. I've not used it as a DC and I've use
> passthrough auth.. I know some say its ugly (and it can be) but its
> made my life easier most of the time.

Please read Samba Official HOWTO, chapter 14.

> Now I'm reading through the samba docs, howto's, etc and I am still
> very uncomfortable mapping the windows Administrator account to root.
> I know samba will need to change some things that only root can do. I
> was hoping for something that I could do with sudo. Could I create and
> account called 'joeAdmin', put him in sudoers, then put all the
> commands that joeAdmin would need to run in the sudoers config? That
> seems a more structure way to secure this.

There isn't really anything that would require your legitimate unix
users to be put into sudoers. That information is stored in samba tdb
files and are manipulated using "net".
> Secondly, we have possibly more than one administrator account on a
> machine. Can we map multiple windows user names to the root account in
> idmap?

Recent samba releases don't require root account during normal
operation. Parent processes still are being run with uid=0 so there
you go.

> then in smbusermap file 
> root = joeAdmin janeAdmin
> Does this sound reasonable?

You shouldn't have to do this.


Michal Kurowski
perl -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;

More information about the samba mailing list