[Samba] winbind finds all domain users except Administrator

Rowland Penny rpenny at samba.org
Tue Nov 14 22:16:51 UTC 2017


On Tue, 14 Nov 2017 22:27:18 +0100
Fabian Fritz via samba <samba at lists.samba.org> wrote:

> Okay, right.
> 
> Is there anything that the Samba admininistrator account can do that
> the users in the group domain admins can't (other than direct
> configurations on the samba server)?

Quite a bit, but you can upgrade Domain Admins to do most of what
Administrator can do this with:

net rpc rights grant "DOMAIN\Domain Admins"
PRIVILEGE -UAdministrator

Where 'PRIVILEGE' is one of these:
SeMachineAccountPrivilege  Add machines to domain
SeTakeOwnershipPrivilege  Take ownership of files or other objects
SeBackupPrivilege  Back up files and directories
SeRestorePrivilege  Restore files and directories
SeRemoteShutdownPrivilege  Force shutdown from a remote system
SePrintOperatorPrivilege  Manage printers
SeAddUsersPrivilege  Add users and groups to the domain
SeDiskOperatorPrivilege  Manage disk shares
SeSecurityPrivilege  System security
SeSystemtimePrivilege  Set the system clock
SeShutdownPrivilege  Shutdown the system
SeDebugPrivilege  Debug processes
SeSystemEnvironmentPrivilege  Modify system environment
SeSystemProfilePrivilege  Profile the system
SeProfileSingleProcessPrivilege  Profile one process
SeIncreaseBasePriorityPrivilege  Increase base priority
SeLoadDriverPrivilege  Load drivers
SeCreatePagefilePrivilege  Create page files
SeIncreaseQuotaPrivilege  Increase quota
SeChangeNotifyPrivilege  Register for change notify
SeUndockPrivilege  Undock devices
SeManageVolumePrivilege  Manage system volumes
SeImpersonatePrivilege  Impersonate users
SeCreateGlobalPrivilege  Create global
SeEnableDelegationPrivilege  Enable Delegation

> 
> Also on a kind of unrelated note: I have several Unix servers that
> used NIS up until now to get the users. I would prefer if they could
> get the username like right now, without the MYDOM\ prefix. Is it
> possible to configure winbind to leave out the domain or strip it? Or
> could I have them use LDAP to get the username from my DC without the
> domain? user map isn't an option, as then they'd have to have the
> accounts locally as well and I'd have to keep track of updates.

That one is very easy on Unix domain members (it doesn't work on DCs).
Add 'winbind use default domain = yes' to smb.conf on the Unix domain
member, then restart Samba.

Rowland

> 



More information about the samba mailing list