> It is also confusing in name as AFAIK this parameter does not have > anything to do with 'granting' administrative privaleges. This parameter > simply recognizes the user or group as a member of the domain. I believe it does a little more than that. Being a member of the domain admins groups grants users special prevaleges on the client machine. When you look at what this group does to members of a domain controlled by a Win NT 4.0 PDC you will notice that these members are administrators of cleint machines. Since Samba is designed to emulate a Win NT domain controller, then the same would apply to the Samba domain admins group.
This is a bit unfortunate as making users members of this group allows them to "fiddle" with settings on the cleint machine and play around with local file permission settings. The typical network admin, knowing this, would say that the answer to this issue is simply: don't make any of your users member of the domain admin group. This is were you start to get into trouble with Win 2k clients (maybe win nt as well, but I haven't run NT cleints for couple years now). I tried this on my cleint machines a few months back and users were having all kinds of trouble with varous apps, the primary one being Autodesk AutoCAD 2000i (a MAJOR application in the engineering industry). I called Autodesk and asked them what I needed to do to get rid of all of the errors the software was spitting out. Two technicians responeded with nearly the same answer: "tell your paranoid network admin to loosen up on security." It seems that this app, and many other win apps, are DESIGNED so that they will not function properly unless the user has at least Power User prevaleges on the Win Client. Since Samba has no clue what a power user is, you either have to make everyone in your domain a member of the domain admins or you have to go to every client machine in your shop and manually make every user a member of the local Power Users group. > With further reading it appears this parameter requires a group entry > that encompasses 'all' users. This is so that all users are recognized > as a valid member of the domain. I'm not sure this is entirely correct. You don't have to be a member of any group, other than the default group created by Unix when you create the user account, to logon to a Samba domain. You will simply come in as a standard Domain User. You will be able to access shares on client machines, but you may have problems accessing shares on the Server. As detailed above, you'll also have difficulting running various win apps. All of this will be cleared up with Samba 3.0 hits the street. This version will deploy a new deamon called WinBind that integrates the Unix and Win security models. Folks have been running beta of Winbind for at least six months now and from what I hear, it works like a champ. Regards, Greg J. Zartman -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
