I have a couple of Samba 2.2 servers, in different locations, configured as NT Domain Controllers, but I'm experiencing some problems with logging on to the domains as Administrator in order to perform some administration tasks, such as configuring antivirus software on workstations. I won't go into the details here; I think the basic problem is my lack of understanding of how the Administrator account is treated. Ordinary user accounts work fine as far as I can see, but then, ordinary users shouldn't be able to do a bunch of things, anyway. First: I created an Administrator account in Linux, and it wound up (here) with a UID/GID of 604. That's just an ordinary user ID, so what makes it special as far as the domain is concerned? Should the Administrator account have a UID/GID of 0? If I try to run USRMGR.EXE or SRVMGR.EXE I can see things, but can't change them ("Access is denied"). Second, what about Windows SID's? Administrator should be S-1-5-domain-500; but if I log on as Administrator at an NT or Win2K workstation and look in the registry, I can't see that SID in HKEY_USERS. How is this set up in the Adminstrator account profile (roaming profiles are in use)? I'm pretty sure that once I "grok" this stuff all the other minor system management problems will fall into place. Thanks in advance for any responses. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au]
"Les Bell" <lesbell@lesbell.com.au> wrote:>>First: I created an Administrator account in Linux, and it wound up (here) with a UID/GID of 604. That's just an ordinary user ID, so what makes it special as far as the domain is concerned? Should the Administrator account have a UID/GID of 0? If I try to run USRMGR.EXE or SRVMGR.EXE I can see things, but can't change them ("Access is denied"). << OK, let me answer my own question, here: I already had "admin users = les,root", but I've tidied up and now have: domain admin group = $smbadmins admin users = @smbadmins with Administrator and myself (slack, I know) as members of the group smbadmins. Having root in there probably wasn't a bright idea. . . I still have trouble with USRMGR.EXE, though. Whenever I try to edit a user's information, when I click on OK, I get "The group name could not be found". Now, I'm assuming that "Domain Users" is faked internally to Samba and all users are in it, but shouldn't Samba find any other groups, such as the user's primary group in the Red Hat user private group scheme? My other problem concerns an inability to add or edit registry entries (specifically IE proxy settings) on a workstation when logged in as domain administrator. I'm pretty sure that involves SID's somehow. . . . [Apologies in advance for the incorrect threading my MUA produces; I'm experimenting with multiple email accounts and some other tricks here]. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au]
Les, On the UNIX system addition/change of user accounts requires UID=0. If you want your Administrator to be able to manage user accounts UID=0 is a must. Also, the RID for Administrator must be 500 for the account to have admin privileges in Windows. If you are using and LDAP backend it is imperative that all UIDs and RIDs must be unambiguous. So if you have a root account and an Administrator account - you have introduced ambiguity. It is best to use the 'root' account in place of the NT Administrator. Just make sure that the RID for the root account is 500. - John T. --- John H Terpstra Samba-Team email: jht@samba.org> -------- Original Message -------- > Subject: [Samba] How Is Administrator Treated? > From: "Les Bell" <lesbell@lesbell.com.au> > Date: Wed, May 19, 2004 9:34 pm > To: samba@lists.samba.org > > I have a couple of Samba 2.2 servers, in different locations, configured > as > NT Domain Controllers, but I'm experiencing some problems with logging > on > to the domains as Administrator in order to perform some > administration > tasks, such as configuring antivirus software on workstations. I won't > go > into the details here; I think the basic problem is my lack of > understanding of how the Administrator account is treated. Ordinary > user > accounts work fine as far as I can see, but then, ordinary users > shouldn't > be able to do a bunch of things, anyway. > > First: I created an Administrator account in Linux, and it wound up > (here) > with a UID/GID of 604. That's just an ordinary user ID, so what makes > it > special as far as the domain is concerned? Should the Administrator > account > have a UID/GID of 0? If I try to run USRMGR.EXE or SRVMGR.EXE I can > see > things, but can't change them ("Access is denied"). > > Second, what about Windows SID's? Administrator should be > S-1-5-domain-500; > but if I log on as Administrator at an NT or Win2K workstation and look > in > the registry, I can't see that SID in HKEY_USERS. How is this set up in > the > Adminstrator account profile (roaming profiles are in use)? > > I'm pretty sure that once I "grok" this stuff all the other minor > system > management problems will fall into place. Thanks in advance for any > responses. > > Best, > > --- Les Bell, RHCE, CISSP > [http://www.lesbell.com.au] > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
"Andreas S. Haramasz" <aharamas@optonline.net> wrote:>>edit /etc/passwd and change UID 604 to 1 for Administrator (Windows uses 0 for super user on Unix it is 1). << Uh-uh: now that I *am* sure about - root on Unix is 0, while on Windows the domain Administrator is SID -500 (and the Domain Administrators group is -512).>>Also, your life is easier if you don't have Administrator on Unix instead add root=Administrator in the smbusers file. << Yes, I thought about this approach. But now, if you log in as Administrator,and smb.conf has "logon drive = H:", will you get /root mapped to your H: drive? That scares me. What I'm looking for here is a *definitively* correct way to deal with the Administrator logon. If it's not just right, it seems to cause trouble with administering workstations, setting up policies, etc. but I've never seen it written up anywhere. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au]