[Samba] user == Administrator doesn't work

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Oct 24 20:29:49 GMT 2007 

Vadim Vatlin escreveu:
> User in group Domain Admins hasnt superuser (Administrator) privileges.
>
> For the first:
>
> shell> adduser poweruser
> shell> pdbedit -a -u poweruser
> shell> id poweruser
> uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser)
>
> shell> net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=poweruser type=d
> shell> pdbedit -vL poweruser
> Unix username:        poweruser
> NT username:          
> Account Flags:        [U          ]
> User SID:             S-1-5-21-464898509-599635920-2875905535-1009
> Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-512
> Full Name:            poweruser
> Home Directory:       \\domain\poweruser
> HomeDir Drive:        
> Logon Script:         
> Profile Path:         \\domain\poweruser\profile
> Domain:               DOMAIN
> Account desc:         
> Workstations:         
> Munged dial:          
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Wed, 24 Oct 2007 15:44:59 MSD 
> Password can change:  Wed, 24 Oct 2007 15:44:59 MSD
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> shell> adduser plainuser
> shell> pdbedit -a -u plainuser
> shell> pdbedit -nL plainuser
> [skip]
> User SID:             S-1-5-21-464898509-599635920-2875905535-1010
> Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-513
> [skip]
>
> Now:
> 1) I login on share as "plainuser" and create folder "222".
> 2) logout.
> 3) Login as poweruser, and I cant remove folder "222"
>  Permission denied.
>
> Why???
>   

You haven't included any information about the permissions on the 
filesystem or how was the share configured. So by what you have 
included... Making a user be called "powersomething" or be included in 
any "Administrator of Whatever" group, or making the RIDs of these 
accounts anything you want, doesn't make them have any special power.

To these accounts be "seen" as such by the clients you put the proper 
RIDs and to these accounts be able to make *some* "administrative tasks" 
you assign privileges.

Theres two places where you can be allowed or denied to do something, 
the system itself and samba. The short answer: probably because your 
filesystem permissions doesn't allow you to do that. Theres only one 
user that can do whatever it wants on a UNIX filesystem, root.


Have you readed the chapter [1] of the samba documentation that explains 
how File, Directory, and Share Access Controls works? Theres a chapter 
that explain what privileges are and do too.

1. 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html


Regards.

Edmundo Valle Neto

More information about the samba mailing list