[Samba] problem with administrator accounts

Chris St. Pierre stpierre at NebrWesleyan.edu
Fri Jan 13 17:41:34 GMT 2006

Sorry if I'm being dense, but how do I map groups?  I can't find
anything in the smb.conf man page about group mapping (except with
idmap, which isn't what I want).  I'm using an older version of Samba
-- 3.0.13 -- which is prebuilt for SuSE 9.3, and I'm lazy and didn't
want to build my own.  Do I need to upgrade to a newer version to get
the functionality I want?  Thanks!

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Thu, 12 Jan 2006, Edward Luck wrote:

>You need to map your Domain Admins group to a Linux group which the
>root user is a member of.
>Here's a couple of things I have noticed:
>1. User account "root" always gets a RID of 1000, not 500.  So, there
>is effectively no "Administrator" user account.
>2. You need to map the group "Domain Admins" to a unix group
>(preferrably named "ntadmins", which root is a member of.
>With the above settings, I was able to add machines to the domain as
>the user "root".
>Remember that the User RID of "500" in Windows has special privileges
>- much like any account in UNIX with a userID of "0" is considered the
>superuser.  Because there is no account in Samba which has a RID of
>500, you need to assign Administrator privileges based on group
>membership - Domain Admins to be precise.
>On 1/12/06, Chris St. Pierre <stpierre at nebrwesleyan.edu> wrote:
>> I have a small domain with a Samba PDB and two Windows clients.  My
>> goal is to have all accounts held centrally on the Linux box, but the
>> administrator login doesn't work as an administrator.
>> That is, I can login just fine as 'administrator' (or as any of the
>> other accounts in the Samba password db), but I don't get
>> administrative privileges in Windows.
>> In smb.conf, I have:
>> admin users = root
>> username map = /etc/samba/smbusers
>> In smbusers, I have:
>> root = administrator
>> The username mapping appears to occur, but 'administrator' (now
>> 'root') does not receive admin privileges in Windows.  (This leads to
>> quite a bind, because I can't login as administrator to take the
>> computer out of the domain and add a local administrator account.)
>> Any ideas?  Thanks!
>> Chris St. Pierre
>> Unix Systems Administrator
>> Nebraska Wesleyan University
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>Keep flying, and stay shiny.

More information about the samba mailing list