[Samba] What the Administrator RID 500 is supposed to be able to do?
Edmundo Valle Neto
edmundo.valle at terra.com.br
Tue Jul 4 01:59:12 GMT 2006
Hello.
I have a samba PDC using an LDAP backend and everything is working
perfectly. I'm using debian sarge as server with samba 3.0.14a and have
populated the LDAP backend with smbldap-tools (smbldap-populate).
I have readed the chapter 14 of TOSHARG, where it explains about
privileges, I can assign privileges and use them but not have understood
the part that says something about the Administrator well know RID 500.
If I use the root account I can join workstations to the domain, etc.
If I use any other account with proper privileges granted I'm able
to do what the assigned privileges permits to do (join workstations, etc).
The smbldap-tools that I used doesnt set the RID of the
administrator account to 500, and even when I set it to 500 I don't see
any difference, I can't join workstations with that account.
When I try to do it the Windows XP workstation gives me an error saying
that the username cannot be found.
Looking at the samba logs of the workstation appears something like that:
...
[2006/07/03 21:34:28, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"testmachine$"' gave 1
...
Indicating that the script returned an error (probably because the lack
of rights to add an account).
So I ask, what the Administrator account is supposed to be able to do
when having the well known RID 500, that it doesnt do when the RID is
any other value?
And another more general question. Some other groups have well known
RIDs too, besides it beeing the right RID for them, what should be the
difference if they had any other values? Whould It raise any problem?
Regards.
Edmundo Valle Neto
More information about the samba
mailing list