samba - Oct 2007 - user == Administrator doesn't work

User in group Domain Admins hasnt superuser (Administrator) privileges.

For the first:

shell> adduser poweruser
shell> pdbedit -a -u poweruser
shell> id poweruser
uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser)

shell> net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup=poweruser type=d
shell> pdbedit -vL poweruser
Unix username:        poweruser
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-464898509-599635920-2875905535-1009
Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-512
Full Name:            poweruser
Home Directory:       \\domain\poweruser
HomeDir Drive:        
Logon Script:         
Profile Path:         \\domain\poweruser\profile
Domain:               DOMAIN
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 24 Oct 2007 15:44:59 MSD 
Password can change:  Wed, 24 Oct 2007 15:44:59 MSD
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


shell> adduser plainuser
shell> pdbedit -a -u plainuser
shell> pdbedit -nL plainuser
[skip]
User SID:             S-1-5-21-464898509-599635920-2875905535-1010
Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-513
[skip]

Now:
1) I login on share as "plainuser" and create folder "222".
2) logout.
3) Login as poweruser, and I cant remove folder "222"
 Permission denied.

Why???

Vadim Vatlin escreveu:
> User in group Domain Admins hasnt superuser (Administrator) privileges.
>
> For the first:
>
> shell> adduser poweruser
> shell> pdbedit -a -u poweruser
> shell> id poweruser
> uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser)
>
> shell> net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup=poweruser type=d
> shell> pdbedit -vL poweruser
> Unix username:        poweruser
> NT username:          
> Account Flags:        [U          ]
> User SID:             S-1-5-21-464898509-599635920-2875905535-1009
> Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-512
> Full Name:            poweruser
> Home Directory:       \\domain\poweruser
> HomeDir Drive:        
> Logon Script:         
> Profile Path:         \\domain\poweruser\profile
> Domain:               DOMAIN
> Account desc:         
> Workstations:         
> Munged dial:          
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Wed, 24 Oct 2007 15:44:59 MSD 
> Password can change:  Wed, 24 Oct 2007 15:44:59 MSD
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> shell> adduser plainuser
> shell> pdbedit -a -u plainuser
> shell> pdbedit -nL plainuser
> [skip]
> User SID:             S-1-5-21-464898509-599635920-2875905535-1010
> Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-513
> [skip]
>
> Now:
> 1) I login on share as "plainuser" and create folder
"222".
> 2) logout.
> 3) Login as poweruser, and I cant remove folder "222"
>  Permission denied.
>
> Why???
>   
You haven't included any information about the permissions on the 
filesystem or how was the share configured. So by what you have 
included... Making a user be called "powersomething" or be included in
any "Administrator of Whatever" group, or making the RIDs of these 
accounts anything you want, doesn't make them have any special power.

To these accounts be "seen" as such by the clients you put the proper 
RIDs and to these accounts be able to make *some* "administrative
tasks"
you assign privileges.

Theres two places where you can be allowed or denied to do something, 
the system itself and samba. The short answer: probably because your 
filesystem permissions doesn't allow you to do that. Theres only one 
user that can do whatever it wants on a UNIX filesystem, root.


Have you readed the chapter [1] of the samba documentation that explains 
how File, Directory, and Share Access Controls works? Theres a chapter 
that explain what privileges are and do too.

1. 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html


Regards.

Edmundo Valle Neto