[Samba] Administrator is Root

ryan punt rpunt at good-sam.com
Thu Jan 18 17:39:11 GMT 2007

>> 	After Samba 3.0.14 you can have a normal user account with
>> Domain Administrator powers, which includes adding machines to the
>> domain and other privileges, using 'net groupmap'.
>> 	So you can an account as the LDAP administrator, another
>> account as your Samba Administrator and your regular root account.
>> It's up to you. ;)
> But don't you need a Samba account with UID=0 to assign privileges 
> in the first place?

	Not anymore. ;)

Is priv assignment limited to accounts whose sambaPrimaryGroupSID has RID 512, or is simply having the account name listed as a member in the group definition enough?

Wow, that was poorly written...

I'm assuming that this guy will be able to assign privs:
# domain admin user
uid: user
sambaPrimaryGroupSid: S-*-512

How about user2?
# domain admins group
cn: dom_adms
sambaSID: S-*-512
memberUID: user2

-------------- next part --------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.

The Evangelical Lutheran Good Samaritan Society.


More information about the samba mailing list