[Samba] problems with clients privileges

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Nov 7 13:50:36 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nik600 hotmail escreveu:
> hi
> i am experiencing some problem with the configuring of samba as a PDC in a
> Windows network, ive configured samba as PDC, created users, set there
> password with smbpasswd and mapped unixgroup to nt group as follows:
> 
> System Operators (S-1-5-32-549) -> -1
> Domain Users (S-1-5-21-3614578222-3141096634 -3044101766-513) -> users
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> users
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Admins (S-1-5-21-3614578222-3141096634-3044101766-512) -> users
> Domain Guests (S-1-5-21-3614578222-3141096634-3044101766-514) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> 
> on the windows client i've set in the local group "Power Users" the domain
> group "Domain Users"

	Please, don't do that. Use different groups for Domain Users,
Domain Admins and Power Users. :)


> the problem is that the user can log-in but they are extremely limited, they
> can't set their home page, or set preferences in I.E., or preferences
> regarding files (show hidden files...)

	Is it a client side problem, isn't it? Are you using GPO? Or
Local Security policies?


> the only solution i've guessed at the moment is to add "Domain Users" samba
> group to "Administrators" local group...it works! but it let the user to
> login as a local administrator! and i dont' want it! ;-)
> 
> can you suggest me some controls to do?
> 
> the server runs samba 3.0.10 on a slackware 10.1 kernel 2.6.12

	Samba 3.0.10 handles the "admin user" in a different way,
anyway, you don't want all your users to be Domain Admins. :-)

	On our network, if I don't use Local Policies, the user
is able to change a lot of things in his own environment in Win2k.


> thanks in advance

	You are welcome. Best regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFDb1usCj65ZxU4gPQRAt/vAJ9d0PCnwcoBAK7QFcdvleK2gpjl8QCeJPPM
5dH/YLVcNP9Ylu468o76MD0=
=PMWu
-----END PGP SIGNATURE-----


More information about the samba mailing list