Rauno Tuul
2003-Sep-05 20:21 UTC
[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?
Hi, Could someone explain, why was parameter "domain admin group" removed from samba3? passdb/pdb_ldap got totally rewritten... but why remove an useful variable... # Removed Parameters (order alphabetically): # * domain admin group In 2.2.8 (with LDAP backend) I defined domain admin group = @"Domain Admins" and added several users to that group for creating machine accounts. I worked and well. Users in that group didn't have root permissions, but were able to add new accounts. But what I do in samba3? # add machine script - will be run by smbd(8) # when a machine is added to it's domain using # the administrator username and password method". I made an custom script, based on idealx useradd script and added some lines for working with LAM (http://lam.sf.net). Problem is, how can this script be used by others, who need to add machine accounts... Am I correct, that samba assumes "administrator username = root" ???? # admin users - list of users who will be granted administrative # privileges on the share. This means that they will do all # file operations as the super-user (root)". Defining several people to be "admin users", isn't also the right solution, cause they get too high privileges. On shares and file access. I used it and managed to add new machine account... For samba I was "logged in as admin user (root privileges)". # The name of the account that is used to create domain member # machine accounts can be anything the network administrator # may choose. If it is other than root then this is easily # mapped to root using the file pointed to be the smb.conf # parameter username map = /etc/samba/smbusers." Doesn't that make exatly the same as listing users as admin users? Basically will samba recognize that "anything" as "admin user (root privileges)" or not? Any recommendations? solutions? Regards, Rauno Tuul
Jeffrey D. Means
2003-Sep-05 21:24 UTC
[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?
Rauno: This was done as it is no longer needed under Samba3 check out the 'net' command for real nt style group management. Jeffrey D. Means CIO for MeansPC meaje@meanspc.com -----Original Message----- From: samba-bounces+meaje=meanspc.com@lists.samba.org [mailto:samba-bounces+meaje=meanspc.com@lists.samba.org] On Behalf Of Rauno Tuul Sent: Friday, September 05, 2003 2:22 PM To: 'samba@lists.samba.org' Subject: [Samba] samba3 - On-the-Fly Machine Accounts - domain admin group? Hi, Could someone explain, why was parameter "domain admin group" removed from samba3? passdb/pdb_ldap got totally rewritten... but why remove an useful variable... # Removed Parameters (order alphabetically): # * domain admin group In 2.2.8 (with LDAP backend) I defined domain admin group = @"Domain Admins" and added several users to that group for creating machine accounts. I worked and well. Users in that group didn't have root permissions, but were able to add new accounts. But what I do in samba3? # add machine script - will be run by smbd(8) # when a machine is added to it's domain using # the administrator username and password method". I made an custom script, based on idealx useradd script and added some lines for working with LAM (http://lam.sf.net). Problem is, how can this script be used by others, who need to add machine accounts... Am I correct, that samba assumes "administrator username = root" ???? # admin users - list of users who will be granted administrative # privileges on the share. This means that they will do all # file operations as the super-user (root)". Defining several people to be "admin users", isn't also the right solution, cause they get too high privileges. On shares and file access. I used it and managed to add new machine account... For samba I was "logged in as admin user (root privileges)". # The name of the account that is used to create domain member # machine accounts can be anything the network administrator # may choose. If it is other than root then this is easily # mapped to root using the file pointed to be the smb.conf # parameter username map = /etc/samba/smbusers." Doesn't that make exatly the same as listing users as admin users? Basically will samba recognize that "anything" as "admin user (root privileges)" or not? Any recommendations? solutions? Regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.514 / Virus Database: 312 - Release Date: 8/28/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.514 / Virus Database: 312 - Release Date: 8/28/2003
John H Terpstra
2003-Sep-06 00:26 UTC
[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?
On Fri, 5 Sep 2003, Rauno Tuul wrote:> Hi, > > Could someone explain, why was parameter "domain admin group" removed from > samba3? > passdb/pdb_ldap got totally rewritten... but why remove an useful > variable...Because you now have something much more powerful that provides real NT Groups to your NT/200x/XP clients. Here are the basic steps: 1. Add a UNIX group account that will be mapped to the NT Domain Admins global group: groupadd ntadmins 2. Now add the UNIX users who should be a member of the NT Domain Admins group to the UNIX ntadmins account: a) You can edit /etc/group so that the ntadmins entry looks like: ntadmins:x:543:maryo,willy,billg -OR- b) Use the system toolset to do this by: usermod -G ntadmins maryo usermod -G ntadmins willy usermod -G ntadmins billg 3. Now map the UNIX group to the NT Domain Admins group: net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins 4. Done. Hope this helps! IT is covered in the Samba-HOWTO-Collection.pdf file that is included with Samba-3 in the docs directory. Let me know if we missed anything! :) - John T.> > # Removed Parameters (order alphabetically): > # * domain admin group > In 2.2.8 (with LDAP backend) I defined > domain admin group = @"Domain Admins" > and added several users to that group for creating machine accounts. I > worked and well. Users in that group didn't have root permissions, but were > able to add new accounts. > > But what I do in samba3? > > # add machine script - will be run by smbd(8) > # when a machine is added to it's domain using > # the administrator username and password method". > > I made an custom script, based on idealx useradd script and added some lines > for working with LAM (http://lam.sf.net). > Problem is, how can this script be used by others, who need to add machine > accounts... > Am I correct, that samba assumes "administrator username = root" ???? > > # admin users - list of users who will be granted administrative > # privileges on the share. This means that they will do all > # file operations as the super-user (root)". > > Defining several people to be "admin users", isn't also the right solution, > cause they get too high privileges. On shares and file access. I used it and > managed to add new machine account... For samba I was "logged in as admin > user (root privileges)". > > # The name of the account that is used to create domain member > # machine accounts can be anything the network administrator > # may choose. If it is other than root then this is easily > # mapped to root using the file pointed to be the smb.conf > # parameter username map = /etc/samba/smbusers." > > Doesn't that make exatly the same as listing users as admin users? Basically > will samba recognize that "anything" as "admin user (root privileges)" or > not? > > Any recommendations? solutions? > > Regards, > > Rauno Tuul > >-- John H Terpstra Email: jht@samba.org