[Samba] No Admin-Rights in SMB-PDC-Domain
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Sep 23 04:48:57 MDT 2009
On Wed, Sep 23, 2009 at 12:45:22PM +0200, Daniel Spannbauer wrote:
>
>
> Volker Lendecke schrieb:
>> On Wed, Sep 23, 2009 at 12:33:24PM +0200, Daniel Spannbauer wrote:
>>> Hmmm, when I log in on the Workstation as Administrator (which is
>>> mapped to User root) then I get a Groupsid which ends to 513, so I
>>> get as Administrator the Rights of the normals Domain USer. But in
>>> LDAP the PrimaryGroupSid for root is set to 512 (DomainAdmins).
>>> In the Group-Entry for the Group of the DomainAdmins root is also in
>>> MemberUID.
>>>
>>> Can anybody tell me why the PrimaryGropSid isn't used by samba?
>>
>> Samba uses the gidNumber of the account and maps it via the
>> group mapping entries to a SID. We only have the
>> primaryGroupSid still in our schema because removing it
>> would have made upgrades almost impossible.
>>
>
> Hello Volker,
>
> that means if the user Root has an Entry "primaryGroupSID" with the sid
> 512 then the User should have Admin-Rights because hes in the
> Domain-Admin-Group?
No. It means that if the user xxx has the gidNumber 123 or
is otherwise member of 123 and gidNumber 123 is mapped via a
sambaGroupMapping entry to -512, then xxx should have local
Admin-Rights.
Samba IGNORES the sambaPrimaryGroupSid entry.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20090923/9be05c8c/attachment.pgp>
More information about the samba
mailing list