Tarjei Huse �rta:
Wow! I think this is the best post I've seen on any mailinglist -ever- !
A minor comment/question:
3. If you want the Domain Admins group to be able to manage your Samba servers
you must ensure that this group, or its members, somehow maps to the user
'root' or the group 'root' (GID=0, on some systems this maps to the group
'wheel').
So to add / remove users and join domains the vital part is not to have
uid0==0 but gid == 0?
I've always thought that the only way to do this was to have a user with
uid 0.
Geza Gemes: If you just want a set of users to add/remove users without
beeing root when doing other tasks, use LDAP.
Tarjei
Sorry, but IMHO you are wrong at this point joining a machine to a
domain with on the fly machine account creation relies on the fact of
being root (uid=0), anyway I'm using LDAP from some years, and manage
users and groups via scripts, and gived (via sudo) that right to the
mentioned group.
Thanks,
Geza Gemes
You can either map "Domain Admins" to the GID=0 group on the UNIX system, or
as explained below, you can do this using the "admin users" parameter in the
smb.conf global section.
You have choice in how UNIX admin capability is provided for domain users.
There are no right or wrong choices - but there are solutions that do or do
not work. If you fail to think through the chain of rights and privileges as
a user passes from a DMC to the domain then through to Samba and the UNIX OS
that hosts it, you will find the result frustrating. But if you can figure
out the simple steps from one point to another the solution is simple and
frustration will be avoided.
If someone would care to review the appropriate chapters of the
Samba-HOWTO-Collection and suggest updates I will be happy to incorporate
them into the document.
- John T.
On Sunday 17 October 2004 05:29, G�mes G�za wrote:
Hi everybody,
Ok, the logic goes like this...
If you want to use root for Domain administration purposes it has to
be in the Domain user database.
If it's a Domain user its primary group should be a Domain group.
All Domain groups in Samba are mappings from UNIX groups into SIDs.
If mapping for a particular gid is not present it will be created
automatically using arithmetic approach.
Therefore, if you want your root user to keep its primary gid but to
be associated with a Domain group 'Domain Admins' the best approach
will be to map this Domain group into UNIX group 'root' instead of
creating additional UNIX group 'Domain Admins'.
Another approach will be to use some other user to administer your
Domain and put it into 'admin users' list in smb.conf then you will be
free to choose any primary group for it you like just keep the
consistency between gidNumber and sambaPrimaryGroupSID. All users in
the 'admin users' list are forced into been root when they access
Samba so you will have the same control you would have with root.
Some things to note here:
admin users is not generally the same as domain admins.
Members of the domain admin group will have administrator privileges on
a Windows (NT based) workstation, but no special rights on the Samba
shares, nor the right to manipulate the users, groups, or machines,
databases.
Members of the admin users will be able to act as root to Samba (all
privileges), but not necessary to be administrators, for the Windows
workstations, only if they are also members of the Domain Admins group.
I steel have some things not very clear to me: can I have a group added
to admin users in the global section, while in the share definitions
specify another admin users (e.g. admin users = root), limiting in this
way their access to other users data, while giving them the possibility,
to join machines to the domain?
I don't know why this is not documented... I don't read documentation
that often.. I do know though that Samba team welcomes all suggestions
to make documentation better. If you know which part of the
documentation got you confused - let them know how to make it more clear.
Hope it helps,
Igor
Thanks,
Geza
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
