[Samba] No Admin-Rights in SMB-PDC-Domain
Volker.Lendecke at SerNet.DE
Wed Sep 23 04:48:57 MDT 2009
On Wed, Sep 23, 2009 at 12:45:22PM +0200, Daniel Spannbauer wrote:
> Volker Lendecke schrieb:
>> On Wed, Sep 23, 2009 at 12:33:24PM +0200, Daniel Spannbauer wrote:
>>> Hmmm, when I log in on the Workstation as Administrator (which is
>>> mapped to User root) then I get a Groupsid which ends to 513, so I
>>> get as Administrator the Rights of the normals Domain USer. But in
>>> LDAP the PrimaryGroupSid for root is set to 512 (DomainAdmins).
>>> In the Group-Entry for the Group of the DomainAdmins root is also in
>>> Can anybody tell me why the PrimaryGropSid isn't used by samba?
>> Samba uses the gidNumber of the account and maps it via the
>> group mapping entries to a SID. We only have the
>> primaryGroupSid still in our schema because removing it
>> would have made upgrades almost impossible.
> Hello Volker,
> that means if the user Root has an Entry "primaryGroupSID" with the sid
> 512 then the User should have Admin-Rights because hes in the
No. It means that if the user xxx has the gidNumber 123 or
is otherwise member of 123 and gidNumber 123 is mapped via a
sambaGroupMapping entry to -512, then xxx should have local
Samba IGNORES the sambaPrimaryGroupSid entry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
More information about the samba