[Samba] Allowing Domain Admins root access

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Tue Oct 3 14:07:26 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2006 01:31 PM, Phil Marsden escreveu:
> Hi,

Hey!


> We have a Windows Domain and a few Linux boxes on which we 
> have installed Samba and set them up so people can log in
> using their windows domain logins using winbind etc.
> 
> All is working fine EXCPECT for the group memberships.
> 
> I have a windows user who is a member of the "Domain Admins" 
> group and I want them to have root privilegdes on the UNIX
> box.
> 
> I added a group mapping using the command net groupmap add 
> ntgroup="Domain Admins" unixgroup=root type=d but that just
> added another group called "Domain admins" which could be
> seen by running
> 
> [root at xxx ~]# net groupmap list | grep Domain 
> Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-1001) -> root 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> -1 
> Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1
> 
> so I tried
> net groupmap set "Domain Admins" "root" -D which was better and gave the output 
> Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> root 
> Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1
> 
> But any users that are in the "Domain Admins" group do not 
> get root prviledges when logging into the unix box

	In fact, they have "root group privileges", it does
not mean that they would be able to execute commands as root
(root user) but they have access to files with root group
owner (of course, also the executables one).


> Is what I am doing supported i.e. is that what group mappings 
> are for?

	Not exactly, groupmaps are a way to have Windows groups
mapped to UNIX groups. Take a look at the Official HOWTO, I
whink it would help you. :-)

http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html


> Phil.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFIm6eCj65ZxU4gPQRAmWFAJ98FIQSOxwc4Rf2PqXJApccWaRFrwCfezRE
yQ3mQV4tJgeBMdIYXRtzF7E=
=5TrL
-----END PGP SIGNATURE-----

More information about the samba mailing list