samba - Dec 2004 - domain administrator is always mapped to root

Hello,

I have found out that a domain administrator is always mapped to root in 
the UNIX filesystem:

drwx------   2 jive  smbguests 1024 2004-12-23 18:59 jive
drwx------  13 salsa smbusers  1024 2004-12-23 18:58 salsa
drwx------  13 root  smbadmins 1024 2004-12-23 18:56 tango

jive is a domain guest user, salsa a domain user and tango a domain 
administrator.

Is it possible to change the root ownership behaviour?

Thanks
Florian

Florian Effenberger wrote:
> I have found out that a domain administrator is always mapped to root in 
> the UNIX filesystem:
Yup, found that as well. It seems to be hard coded behavior in the Samba code.
Even though it would make sense to never log in as root, you can not tell Samba
root is an invalid user or you will not
like the results. "Been there, Done that"... documented in the PDF as
well.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

Florian Effenberger wrote:
> Hello,
>
> I have found out that a domain administrator is always mapped to root 
> in the UNIX filesystem:
>
> drwx------   2 jive  smbguests 1024 2004-12-23 18:59 jive
> drwx------  13 salsa smbusers  1024 2004-12-23 18:58 salsa
> drwx------  13 root  smbadmins 1024 2004-12-23 18:56 tango
>
> jive is a domain guest user, salsa a domain user and tango a domain 
> administrator.
Yes, if tango is listed as admin user in smb.conf.
>
> Is it possible to change the root ownership behaviour?
Don't list Tango as admin user in smb.conf.
>
> Thanks
> Florian

Hi Michael,
> Yup, found that as well. It seems to be hard coded behavior in the Samba 
> code. Even though it would make sense to never log in as root, you can 
> not tell Samba root is an invalid user or you will not like the results. 
> "Been there, Done that"... documented in the PDF as well.
@Samba team: is this by intense or is this a bug? I find it is a problem 
when you switch from Domain Admin to Domain User, as the unix 
permissions are wrong then... :)

Florian

Hi Michael,
> 2) Anyone who is a Samba Domain Admin will cause things in the log to 
> equate the user to being the root user. Just how Samba thinks about things.
okay. Any chance to get that "fixed" by the Samba development team?
:-)

Florian

Florian Effenberger wrote:
> Hi Michael,
>
>> 2) Anyone who is a Samba Domain Admin will cause things in the log to 
>> equate the user to being the root user. Just how Samba thinks about 
>> things.
>
>
> okay. Any chance to get that "fixed" by the Samba development
team? :-)
Get what fixed?  The OS is Unix.  The administrator IS root.  What is 
there to "fix"?
>
> Florian

Hi,
> Get what fixed?  The OS is Unix.  The administrator IS root.  What is 
> there to "fix"?
root is root (Unix admin, Domain admin). tango is tango (NOT an Unix 
admin, but Domain admin). Is there a technical necessity of mapping 
tango to root?

Florian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| root is root (Unix admin, Domain admin). tango is tango (NOT an Unix
| admin, but Domain admin). Is there a technical necessity of mapping
| tango to root?

I surmise that in order to properly emulate Windows behavior Samba must
do some of these things that we *nix guys find pesky. I imagine that the
only way around this behaviour would probably include coming up with a
special PAM module and that may be outside the scope of the Samba
project. Otherwise you are going to need to be able to do root things
like change passwords, delete users and stuff.


Jim C.
- --
- -----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---------------------------------------------------------------|
| Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBzF1v57L0B7uXm9oRAs9rAJwJU0hmDHOdqGtWoeSNZ2XXYdDKJQCfaKWe
4zO74GZ30AyIDHYEt3pKy38=4t7v
-----END PGP SIGNATURE-----

Hi Jim,

okay, I guess I got the point. :-)

Florian

domain admin and admin user are two different things. Look closely at the 
documentation.

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

On Fri, 24 Dec 2004, Jim C. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> | root is root (Unix admin, Domain admin). tango is tango (NOT an Unix
> | admin, but Domain admin). Is there a technical necessity of mapping
> | tango to root?
>
> I surmise that in order to properly emulate Windows behavior Samba must
> do some of these things that we *nix guys find pesky. I imagine that the
> only way around this behaviour would probably include coming up with a
> special PAM module and that may be outside the scope of the Samba
> project. Otherwise you are going to need to be able to do root things
> like change passwords, delete users and stuff.
>
>
> Jim C.
> - --
> - -----------------------------------------------------------------
> | I can be reached on the following Instant Messenger services: |
> |---------------------------------------------------------------|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---------------------------------------------------------------|
> | Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
> - -----------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBzF1v57L0B7uXm9oRAs9rAJwJU0hmDHOdqGtWoeSNZ2XXYdDKJQCfaKWe
> 4zO74GZ30AyIDHYEt3pKy38> =4t7v
> -----END PGP SIGNATURE-----
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Effenberger wrote:
| Hello,
|
| I have found out that a domain administrator is always mapped to root in
| the UNIX filesystem:
|
| drwx------   2 jive  smbguests 1024 2004-12-23 18:59 jive
| drwx------  13 salsa smbusers  1024 2004-12-23 18:58 salsa
| drwx------  13 root  smbadmins 1024 2004-12-23 18:56 tango
|
| jive is a domain guest user, salsa a domain user and tango a domain
| administrator.
|
| Is it possible to change the root ownership behaviour?

sounds like you have an 'admin users' line in smb.conf.




cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3DBXIR7qMdg1EfYRApFVAJ9kFBxPZGBiDmMA4YTzljteOlz9fwCeLnuP
vDa5Rvqih1Z1UlXloG75D5w=BnPe
-----END PGP SIGNATURE-----