[Samba] winbind finds all domain users except Administrator
Rowland Penny
rpenny at samba.org
Tue Nov 14 22:16:51 UTC 2017
On Tue, 14 Nov 2017 22:27:18 +0100
Fabian Fritz via samba <samba at lists.samba.org> wrote:
> Okay, right.
>
> Is there anything that the Samba admininistrator account can do that
> the users in the group domain admins can't (other than direct
> configurations on the samba server)?
Quite a bit, but you can upgrade Domain Admins to do most of what
Administrator can do this with:
net rpc rights grant "DOMAIN\Domain Admins"
PRIVILEGE -UAdministrator
Where 'PRIVILEGE' is one of these:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System security
SeSystemtimePrivilege Set the system clock
SeShutdownPrivilege Shutdown the system
SeDebugPrivilege Debug processes
SeSystemEnvironmentPrivilege Modify system environment
SeSystemProfilePrivilege Profile the system
SeProfileSingleProcessPrivilege Profile one process
SeIncreaseBasePriorityPrivilege Increase base priority
SeLoadDriverPrivilege Load drivers
SeCreatePagefilePrivilege Create page files
SeIncreaseQuotaPrivilege Increase quota
SeChangeNotifyPrivilege Register for change notify
SeUndockPrivilege Undock devices
SeManageVolumePrivilege Manage system volumes
SeImpersonatePrivilege Impersonate users
SeCreateGlobalPrivilege Create global
SeEnableDelegationPrivilege Enable Delegation
>
> Also on a kind of unrelated note: I have several Unix servers that
> used NIS up until now to get the users. I would prefer if they could
> get the username like right now, without the MYDOM\ prefix. Is it
> possible to configure winbind to leave out the domain or strip it? Or
> could I have them use LDAP to get the username from my DC without the
> domain? user map isn't an option, as then they'd have to have the
> accounts locally as well and I'd have to keep track of updates.
That one is very easy on Unix domain members (it doesn't work on DCs).
Add 'winbind use default domain = yes' to smb.conf on the Unix domain
member, then restart Samba.
Rowland
>
More information about the samba
mailing list