Daniel Wilson
2004-Nov-17 11:06 UTC
[samba] create account that can join machines but not admin access on domain
hi list, im using samba 3.0.8 with LDAP, To add a machine to the domain i currently use the administrator account (which has uidNumber=0), which means this account has automatic root on all of the shares (my shares arnt using samba, im using NetApps Filers, which have been configured to authenticate via samba), when we roll this project out accross the university (approx 50,000 users) we want the technicians in each school to be able to add machines to the domain but not get root/admin access to all the shares. So my question is, Can you create an account that can add machines to the domain but doesnt get root/admin priveldges on all the shares/domain (as the would conflict with human rights issues etc...) Regards -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.
Daniel Wilson
2004-Nov-17 11:49 UTC
[Samba] create account that can join machines but not admin access on domain
hi list, im using samba 3.0.8 with LDAP, To add a machine to the domain i currently use the administrator account (which has uidNumber=0), which means this account has automatic root on all of the shares (my shares arnt using samba, im using NetApps Filers, which have been configured to authenticate via samba), when we roll this project out accross the university (approx 50,000 users) we want the technicians in each school to be able to add machines to the domain but not get root/admin access to all the shares. So my question is, Can you create an account that can add machines to the domain but doesnt get root/admin priveldges on all the shares/domain (as the would conflict with human rights issues etc...) Regards -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.
MaTT
2004-Nov-17 15:33 UTC
[samba] create account that can join machines but not admin access on domain
Hi Daniel... this is from the Samba Docs... will help One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this? Users who are members of the Domain Admins group can add machines to the Domain. This group is mapped to the UNIX group account called root (or equivalent on wheel on some UNIX systems) that has a GID of 0. This must be the primary GID of the account of the user who is a member of the Windows Domain Admins account. MRB http://www.lionix.com Linux Daniel Wilson wrote:> hi list, > > im using samba 3.0.8 with LDAP, > > To add a machine to the domain i currently use the administrator account > (which has uidNumber=0), which means this account has automatic root on > all of the shares (my shares arnt using samba, im using NetApps Filers, > which have been configured to authenticate via samba), when we roll this > project out accross the university (approx 50,000 users) we want the > technicians in each school to be able to add machines to the domain but > not get root/admin access to all the shares. > > So my question is, Can you create an account that can add machines to > the domain but doesnt get root/admin priveldges on all the shares/domain > (as the would conflict with human rights issues etc...) > > Regards >
Daniel Wilson
2004-Nov-17 16:55 UTC
[samba] create account that can join machines but not admin access on domain
MaTT wrote:> Hi Daniel... this is from the Samba Docs... will help > > One of my junior staff needs the ability to add machines to the > Domain, but I do not want to give him root access. How can we do this? > > > Users who are members of the Domain Admins group can add machines to > the Domain. This group is mapped to the UNIX group account called root > (or equivalent on wheel on some UNIX systems) that has a GID of 0. > This must be the primary GID of the account of the user who is a > member of the Windows Domain Admins account. > > MRB > http://www.lionix.com > Linux > > Daniel Wilson wrote: > >> hi list, >> >> im using samba 3.0.8 with LDAP, >> >> To add a machine to the domain i currently use the administrator >> account (which has uidNumber=0), which means this account has >> automatic root on all of the shares (my shares arnt using samba, im >> using NetApps Filers, which have been configured to authenticate via >> samba), when we roll this project out accross the university (approx >> 50,000 users) we want the technicians in each school to be able to >> add machines to the domain but not get root/admin access to all the >> shares. >> >> So my question is, Can you create an account that can add machines to >> the domain but doesnt get root/admin priveldges on all the >> shares/domain (as the would conflict with human rights issues etc...) >> >> Regards >>ive tried to set GID to 0 to an account, but i get unkwon username or password error when i try to add it, if i use administrtor adding is successful! ???? -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.
MaTT
2004-Nov-17 17:37 UTC
[samba] create account that can join machines but not admin access on domain
daniel, increase the log level and check if the information provided give any help MRB http://www.lionix.com Linux Daniel Wilson wrote:> MaTT wrote: > >> Hi Daniel... this is from the Samba Docs... will help >> >> One of my junior staff needs the ability to add machines to the >> Domain, but I do not want to give him root access. How can we do this? >> >> Users who are members of the Domain Admins group can add machines to >> the Domain. This group is mapped to the UNIX group account called root >> (or equivalent on wheel on some UNIX systems) that has a GID of 0. >> This must be the primary GID of the account of the user who is a >> member of the Windows Domain Admins account. >> >> MRB >> http://www.lionix.com >> Linux >> >> Daniel Wilson wrote: >> >>> hi list, >>> >>> im using samba 3.0.8 with LDAP, >>> >>> To add a machine to the domain i currently use the administrator >>> account (which has uidNumber=0), which means this account has >>> automatic root on all of the shares (my shares arnt using samba, im >>> using NetApps Filers, which have been configured to authenticate via >>> samba), when we roll this project out accross the university (approx >>> 50,000 users) we want the technicians in each school to be able to >>> add machines to the domain but not get root/admin access to all the >>> shares. >>> >>> So my question is, Can you create an account that can add machines to >>> the domain but doesnt get root/admin priveldges on all the >>> shares/domain (as the would conflict with human rights issues etc...) >>> >>> Regards >>> > ive tried to set GID to 0 to an account, but i get unkwon username or > password error when i try to add it, if i use administrtor adding is > successful! ???? >
Daniel Wilson
2004-Nov-18 11:44 UTC
[samba] create account that can join machines but not admin access on domain
MaTT wrote:> daniel, increase the log level and check if the information provided > give any help > > MRB > http://www.lionix.com > Linux > Daniel Wilson wrote: > >> MaTT wrote: >> >>> Hi Daniel... this is from the Samba Docs... will help >>> >>> One of my junior staff needs the ability to add machines to the >>> Domain, but I do not want to give him root access. How can we do this? >>> Users who are members of the Domain Admins group can add machines >>> to the Domain. This group is mapped to the UNIX group account called >>> root (or equivalent on wheel on some UNIX systems) that has a GID of >>> 0. This must be the primary GID of the account of the user who is a >>> member of the Windows Domain Admins account. >>> >>> MRB >>> http://www.lionix.com >>> Linux >>> >>> Daniel Wilson wrote: >>> >>>> hi list, >>>> >>>> im using samba 3.0.8 with LDAP, >>>> >>>> To add a machine to the domain i currently use the administrator >>>> account (which has uidNumber=0), which means this account has >>>> automatic root on all of the shares (my shares arnt using samba, im >>>> using NetApps Filers, which have been configured to authenticate >>>> via samba), when we roll this project out accross the university >>>> (approx 50,000 users) we want the technicians in each school to be >>>> able to add machines to the domain but not get root/admin access to >>>> all the shares. >>>> >>>> So my question is, Can you create an account that can add machines >>>> to the domain but doesnt get root/admin priveldges on all the >>>> shares/domain (as the would conflict with human rights issues etc...) >>>> >>>> Regards >>>> >> ive tried to set GID to 0 to an account, but i get unkwon username or >> password error when i try to add it, if i use administrtor adding is >> successful! ???? >>this is what i get from the log level, i have even mapped my domain admin group to a posixGroup called root with gidNumber=0, also set the user gidnumber to 0 and also added them to domain admin group, the only way it works is if i set the uidNumber =0 which isnt acceptable inour environment. This is loglevel =2 quigon1:/opt/smbldap-tools-0.8.5 # tail -n 0 -f /usr/local/var/log.smbd | more [2004/11/18 11:43:07, 2] lib/smbldap.c:smbldap_search_domain_info(1374) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UNI-STAFF))] [2004/11/18 11:43:07, 2] lib/smbldap.c:smbldap_open_connection(693) smbldap_open_connection: connection opened [2004/11/18 11:43:07, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/11/18 11:43:07, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/11/18 11:43:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2004/11/18 11:43:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 0 [2004/11/18 11:43:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 901 [2004/11/18 11:43:07, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] -> [ws0dwi] -> [ws0dwi] succeeded [2004/11/18 11:43:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2487) Returning domain sid for domain UNI-STAFF -> S-1-5-21-82148923-2461359520-1342 846908 [2004/11/18 11:43:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x00000211) [2004/11/18 11:43:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2487) Returning domain sid for domain UNI-STAFF -> S-1-5-21-82148923-2461359520-1342 846908 [2004/11/18 11:43:08, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115 ) _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010) [2004/11/18 11:43:08, 2] smbd/server.c:exit_server(571) Closing connections [2004/11/18 11:43:09, 2] lib/smbldap.c:smbldap_search_domain_info(1374) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UNI-STAFF))] [2004/11/18 11:43:09, 2] lib/smbldap.c:smbldap_search_domain_info(1374) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UNI-STAFF))] [2004/11/18 11:43:09, 2] lib/smbldap.c:smbldap_open_connection(693) smbldap_open_connection: connection opened [2004/11/18 11:43:09, 2] lib/smbldap.c:smbldap_open_connection(693) smbldap_open_connection: connection opened [2004/11/18 11:43:09, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/11/18 11:43:09, 2] smbd/reply.c:reply_special(235) netbios connect: name1=QUIGON1 name2=D-CONWAY-LAP [2004/11/18 11:43:09, 2] smbd/reply.c:reply_special(242) netbios connect: local=quigon1 remote=d-conway-lap, name type = 0 [2004/11/18 11:43:09, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/11/18 11:43:09, 2] smbd/server.c:exit_server(571) Closing connections [2004/11/18 11:43:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: ws0dwi [2004/11/18 11:43:09, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 0 [2004/11/18 11:43:09, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 901 [2004/11/18 11:43:09, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [ws0dwi] -> [ws0dwi] -> [ws0dwi] succeeded [2004/11/18 11:43:11, 2] smbd/server.c:exit_server(571) Closing connections -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.