[Samba] What the Administrator RID 500 is supposed to be able to do?

Edmundo Valle Neto edmundo.valle at terra.com.br
Tue Jul 4 01:59:12 GMT 2006


    I have a samba PDC using an LDAP backend and everything is working 
perfectly. I'm using debian sarge as server with samba 3.0.14a and have 
populated the LDAP backend with smbldap-tools (smbldap-populate).
    I have readed the chapter 14 of TOSHARG, where it explains about 
privileges, I can assign privileges and use them but not have understood 
the part that says something about the Administrator well know RID 500.

    If I use the root account I can join workstations to the domain, etc.
    If I use any other account with proper privileges granted I'm able 
to do what the assigned privileges permits to do (join workstations, etc).

    The smbldap-tools that I used doesnt set the RID of the 
administrator account to 500, and even when I set it to 500 I don't see 
any difference, I can't join workstations with that account.

When I try to do it the Windows XP workstation gives me an error saying 
that the username cannot be found.

Looking at the samba logs of the workstation appears something like that:
[2006/07/03 21:34:28, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
"testmachine$"' gave 1
Indicating that the script returned an error (probably because the lack 
of rights to add an account).

So I ask, what the Administrator account is supposed to be able to do 
when having the well known RID 500, that it doesnt do when the RID is 
any other value?

And another more general question. Some other groups have well known 
RIDs too, besides it beeing the right RID for them, what should be the 
difference if they had any other values? Whould It raise any problem?


Edmundo Valle Neto

More information about the samba mailing list