[Samba] Samba4: "MYDOM\Administrator" quite useless on a member
Rowland Penny
rowlandpenny at googlemail.com
Mon Oct 27 15:29:01 MDT 2014
On 27/10/14 20:55, ?icro MEGAS wrote:
>> Comment from Rowland:
>> [...]an AD user without a uidNumber is merely a windows user
> Hi Rowland,
>
> just for my understanding, I have a question. If a domain user in my samba4 AD domain does not have been assigned with a "uid" on the [UNIX Attribute] tab of my ADUC tool, that user in general *cannot* access any of the shares of that particular member server? Is that correct? My [home] and [profile] share resides on my member server, thus I definitely *need* to assign to every domain user a uid so that he will be able to use that shares, right?
It is a bit more complicated than that, if you use a member server as
you are doing, then yes, the underlying Unix machine has to know who
your windows users are. You can use nlscd, sssd or winbind to do this,
now if you use either of the last two, they can be set up in a way that
they will be given a uidNumber automatically based on the users RID. If
you give your users the required rfc2307 attributes, you can use any of
the three and give your users individual home directory paths for
instance, something that is not possible without using rfc2307. What I
will say is, I think that it is better to use the rfc2307 attributes
than not to.
>
> My other question still exists, it is the same as the topic of this thread :-) As you said one shouldn't assign a uid to the MYDOM\Administrator account (because he looses its special permissions and thus will be converted to a 'normal' UNIX user on the member server), I am still wondering myself:
>
> Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use that account for accessing shares on the member server, right? (assuming I didn't have assigned a UID to him, as you suggested).
This is a valid question and no the 'Administrator' is not useless on a
memberserver, you need him (her ??) as a bridge to the root user from
windows, this is what the smbmap is for, if you need to do something
from windows on a Unix machine that only 'root' can do easily, then do
it as 'root' via the smbmap. Just as you wouldn't really do much as the
Administrator on windows (well you wouldn't login and run word all day
long, for instance), you do not, as a rule, login as root on a Unix
machine and carry out day to day operations.
Rowland
>
> Thanks and greetings,
> Mirco
More information about the samba
mailing list