> On Tuesday 29 March 2005 21:57, Doug Campbell wrote: > > In the Samba How-To Chapter 13 it says: > > > > " > > The Administrator Domain SID > > Please note that when configured as a DC, it is now required that an > > account in the server's passdb backend be set to the domain SID of the > > default Administrator account. To obtain the domain SID on a > Samba DC, run > > the following command: > > > > root# net getlocalsid > > SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 > > > > You may assign the Domain Administrator rid to an account using > the pdbedit > > command as shown here: > > > > root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 > -u root -r > > " > > > > > > Question: Is this information still valid after samba 3.0.11? > I didn't do > > this but things seem to be working fine. If the information is still > > valid, what would not having it affect? > > Yes, it is! > > OK. But what is the name of your administrator account? What is > the SID for > this account?
I currently only have three user accounts named: Administrator, dcampbell and nobody Both Administrator and dcampbell are in the Domain Admins group. The SIDs are as follows: Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996 dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006 nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998 Domain Admins SID: S-1-5-21-52543480-3766940008-3731351578-512 > You do realize, I hope, that the RID=500 means the account is the > Administrator for Windows clients. Any other RID will be seen by > the Windows > workstation (client) as an account other than the real Administrator. Doesn't the fact that these accounts are in the Domain Admins group make them "real" Administrators too? I seem to have Administrative access to my local machine just by being a member of teh Domain Admins group. Just now, I went ahead and set the Administrators account RID to 500 and removed it entirely for the Domain Admins group. I wasn't able to use it anymore to add a machine. I expected this to be the case since being in the Domain Admins group and having assigned it the new SE...Privilege settings was what was allowing it to administrate the domain. > What more must we do to clarify the wording so that everyone > clearly gets the > message? What is not clear in the documentation? I guess for me it would help to know what doing this step is supposed to accomplish. If I can understand what the purpose of this is, I might be able to help in clarifying the wording. Could you explain this in a little more detail, please? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba