Wow! I think this is the best post I've seen on any mailinglist -ever- ! A minor comment/question: > 3. If you want the Domain Admins group to be able to manage your Samba servers > you must ensure that this group, or its members, somehow maps to the user > 'root' or the group 'root' (GID=0, on some systems this maps to the group > 'wheel').
So to add / remove users and join domains the vital part is not to have uid0==0 but gid == 0? I've always thought that the only way to do this was to have a user with uid 0. Geza Gemes: If you just want a set of users to add/remove users without beeing root when doing other tasks, use LDAP. Tarjei > > You can either map "Domain Admins" to the GID=0 group on the UNIX system, or > as explained below, you can do this using the "admin users" parameter in the > smb.conf global section. > > You have choice in how UNIX admin capability is provided for domain users. > There are no right or wrong choices - but there are solutions that do or do > not work. If you fail to think through the chain of rights and privileges as > a user passes from a DMC to the domain then through to Samba and the UNIX OS > that hosts it, you will find the result frustrating. But if you can figure > out the simple steps from one point to another the solution is simple and > frustration will be avoided. > > If someone would care to review the appropriate chapters of the > Samba-HOWTO-Collection and suggest updates I will be happy to incorporate > them into the document. > > - John T. > > > On Sunday 17 October 2004 05:29, G�mes G�za wrote: > > Hi everybody, > > > > > Ok, the logic goes like this... > > > > > > If you want to use root for Domain administration purposes it has to > > > be in the Domain user database. > > > If it's a Domain user its primary group should be a Domain group. > > > All Domain groups in Samba are mappings from UNIX groups into SIDs. > > > If mapping for a particular gid is not present it will be created > > > automatically using arithmetic approach. > > > > > > Therefore, if you want your root user to keep its primary gid but to > > > be associated with a Domain group 'Domain Admins' the best approach > > > will be to map this Domain group into UNIX group 'root' instead of > > > creating additional UNIX group 'Domain Admins'. > > > > > > Another approach will be to use some other user to administer your > > > Domain and put it into 'admin users' list in smb.conf then you will be > > > free to choose any primary group for it you like just keep the > > > consistency between gidNumber and sambaPrimaryGroupSID. All users in > > > the 'admin users' list are forced into been root when they access > > > Samba so you will have the same control you would have with root. > > > > Some things to note here: > > admin users is not generally the same as domain admins. > > Members of the domain admin group will have administrator privileges on > > a Windows (NT based) workstation, but no special rights on the Samba > > shares, nor the right to manipulate the users, groups, or machines, > > databases. > > Members of the admin users will be able to act as root to Samba (all > > privileges), but not necessary to be administrators, for the Windows > > workstations, only if they are also members of the Domain Admins group. > > > > I steel have some things not very clear to me: can I have a group added > > to admin users in the global section, while in the share definitions > > specify another admin users (e.g. admin users = root), limiting in this > > way their access to other users data, while giving them the possibility, > > to join machines to the domain? > > > > > I don't know why this is not documented... I don't read documentation > > > that often.. I do know though that Samba team welcomes all suggestions > > > to make documentation better. If you know which part of the > > > documentation got you confused - let them know how to make it more clear. > > > > > > Hope it helps, > > > Igor > > > > Thanks, > > > > Geza > > -- > John H Terpstra > Samba-Team Member > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > Samba-3 by Example, ISBN: 0131472216 > Hardening Linux, ISBN: 0072254971 > OpenLDAP by Example, ISBN: 0131488732 > Other books in production. -- Tarjei Huse <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
