[Samba] Re: Administrator is root - I don't like it

Steve A gmane at rowyerboat.com
Mon Jul 3 00:57:19 GMT 2006

Gerald (Jerry) Carter wrote:
>> The "Samba-3 by Example" instructs you to make a mapping,
>> "root =  Administrator".  Is this absolutely necessary?
> No.  Not necessary.  Read up on Samba's privilege model.

Thanks Jerry, I did find all your documentation on the Samba website and it
makes sense, but I'm not quite there yet...

There are 2 accounts in the tdbsam database, root and administrator.

The User SID for 'administrator' is already set to the Domain SID (obtained
from 'net getlocalsid') appended with '-500'.

No user mapping is in place.

The add machine script works ok (see below).

Now, if I use 'root' to join the Windows client to the domain, it works ok.
But if I use 'administrator', it fails with "The machine account for this
computer either does not exist or is inaccessible".  Both root and 
administrator are members of the unix group 'ntadmins' which is mapped to 
'Domain Admins' using net groupmap.  So I imagine something special has to 
be done with the ntadmins group but I don't know what.

I took a look at the 'net rpc' commands as you suggested, but after granting 
a right to "BSDDOMAIN\Domain Admins", when I type 'net rpc rights list 
accounts' I only get a list of "BUILTIN" accounts, all with no privileges 

Do you kwno where I need to go from here?

Many thanks,
Steve :)

More information about the samba mailing list