Re: [Samba] Re: Domain Admin Group privaleges

Sun, 02 May 2004 02:44:12 -0700

I had this problem was well trying to join XP machines to the domain. One admin user was able to add machines and another was not. I discovered that I had a left over from Samba 2.x in my smb.conf

admin users = mac

Yup, you guessed it, mac was the only user that could add machines to the domain. Commenting out this line and mac could not longer add machines to the domain. This is really puzzling to me because I am using an ldap backend with the following mappings:

FS Web (S-1-5-21-2177951985-844638623-828914669-2259) -> fs-web
FS Users (S-1-5-21-2177951985-844638623-828914669-513) -> fs-users
FS Admin (S-1-5-21-2177951985-844638623-828914669-2260) -> fs-admin
Domain Admins (S-1-5-21-2177951985-844638623-828914669-512) -> DomainAdmins
Domain Guests (S-1-5-21-2177951985-844638623-828914669-514) -> nobody
FS Teachers (S-1-5-21-2177951985-844638623-828914669-2258) -> fs-teachers

But, just making sure that mac was in the DomainAdmins group was not enought to get admin privileges in the Windows environment.

This is a recent 3.02 installation. I really would prefer that this was in LDAP, so it anyone can point me at what I am doing wrong that would be great.

Bill

+----------------------------------------------------------
| Bill MacAllister, System Manager
| Nevada City School District
| 530-265-1857

--On Monday, April 26, 2004 02:30:49 PM -0400 Greg Kuchyt <[EMAIL PROTECTED]> wrote:

I thought this was the problem also, but adding the user to the root
group did not yield any change. I'm kind of baffled on this one.

It sounds as it has to do with the Linux privileges. Try this:

When you create a Samba user, the equivalent account is created in the
/etc/passwd file.   Add the Linux user account to the Linux root group.
This will give the user root previliges.  Here is some info. from the
Samba How To:

There is no safe way to provide access on a UNIX/Linux system without
providing root level privilege. Provision of root privileges can be done
wither by logging onto the Domain as the user root, or by permitting
particular users to use a UNIX account that is a member of the UNIX group
that has a GID=0 as the primary group in the /etc/passwd database. Users
of such accounts can use tools like the NT4 Domain User Manager, and the
NT4 Domain Server Manager to manage user and group accounts as well as
Domain Member server and client accounts. This level of privilege is
also needed to manage share level ACLs.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to