[Samba] Administrator is Root

[Felipe Augusto van de Wiel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2007 03:39 PM, ryan punt escreveu:
> Is priv assignment limited to accounts whose sambaPrimaryGroupSID 
> has RID 512, or is simply having the account name listed as a
> member in the group definition enough?

	I think the second one is true. ;)


> Wow, that was poorly written...
> 
> I'm assuming that this guy will be able to assign privs:
> # domain admin user
> uid: user
> sambaPrimaryGroupSid: S-*-512
> 
> How about user2?
> # domain admins group
> cn: dom_adms
> sambaSID: S-*-512
> memberUID: user2

	Hmmm, not sure, on our setup I have a user that is the
Domain Administrator with the following information:

uidNumber: 10001
gidNumber: 10000
sambaSID: S-1-5-21-our-own-sid-20002
sambaPrimaryGroupSID: S-1-5-21-our-own-sid-512


	We have groupmaps and the rpc rights for domain admins
are like this:

OUROWNDOMAIN\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege


	The user can join machines to the domain and once logged
in a workstation he is able to do the configurations that users
are not allowed to do.

	Then we have the following group (sambaGroupMap)

cn: Domain Admins
sambaSID: S-1-5-21-our-own-sid-512
memberUid: felipe


	And my user (felipe) is able to join machines to the
domain without neet to change net rpc rights. And I don't have
sid or primarysid 512 (not even close to that). ;)


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFsNPcCj65ZxU4gPQRAqDMAJ0eZfSLKOVfJU17H40NM0h3B5k4BgCgj4Ps
b2kDBDo/liP+7mgYYbLeyhE=
=dFel
-----END PGP SIGNATURE-----