Jason Williams
2003-Jul-31 20:13 UTC
[Samba] Question on Samba PDC: Permissions and groups
Hello everyone. Im setting up a Samba PDC running 2.2.8a with LDAP on the backend to hold user accounts, machines and passwords. My question is actually on permissions and groups for users who are part of the domain. For example, in my testing, i've been able to successfully join machines and clients to the PDC. However, when I log into the domain with the user, I noticed that they have considerably less permissions. For example, they do not have the ability to change the computer name or workgroup/domain. So in a nutshell, how can I modify permissions for items like these? How can I make more strict permissions as well as less strict permissions? Thanks everyone. Jason
Uh..., Did this come from me? I don't remember it. Strange. <shrug>Oh well, let's see...> Jim, > > Thanks Jim for your input. I really do appreciate it. Sorry for the > late reply, i've been quite busy and in and out of town recently. > > When you say you set the permissions for the group on the client, > exactly how are you doing that? > I have to put my users in one of two groups, to make a few things > seperate to do what I need. But i'd like to find options of how I can > put further permissions and such on my users. > > Also, mind if I ask how you are using the Win2K Administrator account > that comes default? Basically, did you create a Administrator account > on your PDC that would allow you to log into your client machines with > the admin account and have all the administrator privileges? > > Thanks Jim...I appreciate your time and input. > > Cheers, > > Jason > > At 07:57 AM 8/1/2003 -0700, you wrote: > >> All of my users belong to the group dusers. I would simply set the >> perms for this group on the client. >1. When one adds a machine to a domain, one is supposed to use the userid and password of the domain administrator or of an operator set up with such privlidges on the domain. So when you right click on the My Computer icon and go to the properties tab to change the name and the system prompts you for a userid and password, it is the domain administrators userid and password (or that of a properly configured operator) that one should be entering. This makes sense since we don't want random unknown people joining willy-nilly without authorization. 2. This is also an administrative issue on the local machine for a number of reasons. Consequently, the local machine does not provide access to the change button unless the user is an administrator locally. 3. Most of this you wouldn't want to change for security reasons. However, it may be the case that you have a "Power Users" group on your domain and want that reflected on your local machine. Normally we might do this by adding the group "DOMAIN/Power Users" to the group "Power Users" one the local machine however I do not think this capability has been added to Samba yet. I just tried it and it did not work.>> >> Jason Williams wrote: >> >>> Hello everyone. >>> >>> Im setting up a Samba PDC running 2.2.8a with LDAP on the backend to >>> hold user accounts, machines and passwords. >>> My question is actually on permissions and groups for users who are >>> part of the domain. >>> >>> For example, in my testing, i've been able to successfully join >>> machines and clients to the PDC. However, when I log into the domain >>> with the user, I noticed that they have considerably less >>> permissions. For example, they do not have the ability to change the >>> computer name or workgroup/domain. >>> >>> So in a nutshell, how can I modify permissions for items like these? >>> How can I make more strict permissions as well as less strict >>> permissions? >>> >>> Thanks everyone. >>> >>> Jason >> >> >> > >