[Samba] Re: securing root to administrator mapping

John H Terpstra jht at Samba.Org
Thu May 19 19:05:19 GMT 2005

On Thursday 19 May 2005 12:55, Michal Kurowski wrote:
> David Bear [David.Bear at asu.edu] wrote:
> > I'm just starting to convert to using samba 3 --. Untill now, my use
> > of samba has been pretty simple. I've not used it as a DC and I've use
> > passthrough auth.. I know some say its ugly (and it can be) but its
> > made my life easier most of the time.
> Please read Samba Official HOWTO, chapter 14.

I agree with Mike's advice - then again, I wrote that stuff! :-)

You can get your "specially reserved copy" (after all - everyone wants special 
care!) from:


Which document for you?

	Well: The Samba-Guide.pdf teaches how to drive the car and take a vacation
		The Samba-HOWTO-Collection shows how to build the auto-transmission

In your case, you need to build the auto-transmission. Suggest you read up on 
IDMAP handling, User Rights and Privileges, and the use of the 'net' command.

No more 'root' accounts in the Samba passdb backend. In fact, you do not even 
need an 'administrator' account now - all admin responsibilities can be 
delegates to janitors if you wish.


PS: The new HOWTO and By Example books will by available in print around 

- John T.

> > Now I'm reading through the samba docs, howto's, etc and I am still
> > very uncomfortable mapping the windows Administrator account to root.
> > I know samba will need to change some things that only root can do. I
> > was hoping for something that I could do with sudo. Could I create and
> > account called 'joeAdmin', put him in sudoers, then put all the
> > commands that joeAdmin would need to run in the sudoers config? That
> > seems a more structure way to secure this.
> There isn't really anything that would require your legitimate unix
> users to be put into sudoers. That information is stored in samba tdb
> files and are manipulated using "net".
> > Secondly, we have possibly more than one administrator account on a
> > machine. Can we map multiple windows user names to the root account in
> > idmap?
> Recent samba releases don't require root account during normal
> operation. Parent processes still are being run with uid=0 so there
> you go.
> > then in smbusermap file
> > root = joeAdmin janeAdmin
> >
> > Does this sound reasonable?
> You shouldn't have to do this.
> HTH,
> --
> Michal Kurowski
> perl -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m
> m::#; y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'

John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list