[Samba] Administrative users on domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jul 17 09:11:58 MDT 2013


According to the net man page


        In order for Samba to be joined or unjoined remotely an account 
must be
        used that is either member of the Domain Admins group, a member 
of the
        local Administrators group or a user that is granted the
        SeMachineAccountPrivilege privilege.




The simplest thing is probably to have the Domain IT group be a member 
of the local admin group on each machine.  I don't know if you would 
need to grant them the  SeMachineAccountPrivilege.



On 07/17/13 09:44, Donny Brooks wrote:
>   
>
>   
> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld <samba at marc-muehlfeld.de> wrote:
>   
>> Hello Donny,
>>
>> Am 12.07.2013 21:34, schrieb Donny Brooks:
>>> On the old domain, which was setup before I got here,
>>   > our IT section was in an ldap group that allowed us to
>>   > join PC's to the domain ...
>>
>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions
>>
>>
>>
>>
>>   > ... and when the prompt came up in windows to
>>   > install software we could log in as ourselves.
>>
>> What do you mean by this? Do you want to have a group of users
>> automatically in the "administrator" group on your workstations?
>>
>> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s
>>
>> If you mean something else, please give some more details.
>>
>>
>>
>> Regards,
>> Marc
>>
>>
>>
>>
>>
>   
> Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.
>



More information about the samba mailing list