[Samba] user == Administrator doesn't work
Edmundo Valle Neto
edmundo.valle at terra.com.br
Wed Oct 24 20:29:49 GMT 2007
Vadim Vatlin escreveu:
> User in group Domain Admins hasnt superuser (Administrator) privileges.
> For the first:
> shell> adduser poweruser
> shell> pdbedit -a -u poweruser
> shell> id poweruser
> uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser)
> shell> net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=poweruser type=d
> shell> pdbedit -vL poweruser
> Unix username: poweruser
> NT username:
> Account Flags: [U ]
> User SID: S-1-5-21-464898509-599635920-2875905535-1009
> Primary Group SID: S-1-5-21-464898509-599635920-2875905535-512
> Full Name: poweruser
> Home Directory: \\domain\poweruser
> HomeDir Drive:
> Logon Script:
> Profile Path: \\domain\poweruser\profile
> Domain: DOMAIN
> Account desc:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Wed, 24 Oct 2007 15:44:59 MSD
> Password can change: Wed, 24 Oct 2007 15:44:59 MSD
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> shell> adduser plainuser
> shell> pdbedit -a -u plainuser
> shell> pdbedit -nL plainuser
> User SID: S-1-5-21-464898509-599635920-2875905535-1010
> Primary Group SID: S-1-5-21-464898509-599635920-2875905535-513
> 1) I login on share as "plainuser" and create folder "222".
> 2) logout.
> 3) Login as poweruser, and I cant remove folder "222"
> Permission denied.
You haven't included any information about the permissions on the
filesystem or how was the share configured. So by what you have
included... Making a user be called "powersomething" or be included in
any "Administrator of Whatever" group, or making the RIDs of these
accounts anything you want, doesn't make them have any special power.
To these accounts be "seen" as such by the clients you put the proper
RIDs and to these accounts be able to make *some* "administrative tasks"
you assign privileges.
Theres two places where you can be allowed or denied to do something,
the system itself and samba. The short answer: probably because your
filesystem permissions doesn't allow you to do that. Theres only one
user that can do whatever it wants on a UNIX filesystem, root.
Have you readed the chapter  of the samba documentation that explains
how File, Directory, and Share Access Controls works? Theres a chapter
that explain what privileges are and do too.
Edmundo Valle Neto
More information about the samba