> Do you and devinfo members agree the group shared is the best choice? > # [20domainadmingroup] > # This parameter is intended as a temporary solution to enable > # users to be a member of the "Domain Admins" group when a Samba > # host is acting as a PDC. A complete solution will be provided > # by a system for mapping Windows NT/2000 groups onto UNIX groups. > # Please note that this parameter has a somewhat confusing name. > # It accepts a list of usernames and of group names in standard > # smb.conf notation. > domain admin group = @shared @admin root admin Administrator My two cents: I think this list is a bit too inclusive, explained as follows:
root: I'm not sure we want to give people the oportunity to log into a windows machine as root. It gains you nothing for an admin standpoint (Windows doesn't know what root is), but opens the door for security issues. The only time you need to use the root account from the client is when you join a machine to a domain. For this function, you don't need to be logged into the client as root, you only need to input the root username and password when prompted. admin: Same as root. Administrator: This is a windows local machine account and shouldn't be allowed to log onto the domain. At least I've never seen a Win NT domain that had the Administrator included in the domain users or domain admins group. @admin: Same as admin. @shared: Is this a "hard wired" group or something? If I go into my server manager, I don't see this group in the Groups section. I think the best way to handle samba logons is to create two custom groups, d_admins and d_users (this mirrors a Windows Domain). The domain admin group parameter would then be: domain admin group = @d_admins You would then assign all samba users to both groups. All Ibay samba shares would have the d_users group assigned to them. As Samba becomes more able to interpret the Windows Security model, you would pull general users from the d_admins group leaving only those people who should be administrators of the domain (likely to happen within the next three-six months). Regards, Greg J. Zartman -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
