samba - May 2005 - securing root to administrator mapping

I'm just starting to convert to using samba 3 --. Untill now, my use
of samba has been pretty simple. I've not used it as a DC and I've use
passthrough auth.. I know some say its ugly (and it can be) but its
made my life easier most of the time.

Now I'm reading through the samba docs, howto's, etc and I am still
very uncomfortable mapping the windows Administrator account to root.
I know samba will need to change some things that only root can do. I
was hoping for something that I could do with sudo. Could I create and
account called 'joeAdmin', put him in sudoers, then put all the
commands that joeAdmin would need to run in the sudoers config? That
seems a more structure way to secure this.

Secondly, we have possibly more than one administrator account on a
machine. Can we map multiple windows user names to the root account in
idmap?

I'm thinking something like this..

create a group

jAdminGroup, joeAdmin, JaneAdmin

in sodoers.conf 
jAdminGroup ALL=/passwordchatprograms/addprinterprograms NOPASSWD: ALL

then in smbusermap file 
root = joeAdmin janeAdmin

Does this sound reasonable?
-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"

David Bear [David.Bear@asu.edu] wrote:
> I'm just starting to convert to using samba 3 --. Untill now, my use
> of samba has been pretty simple. I've not used it as a DC and I've
use
> passthrough auth.. I know some say its ugly (and it can be) but its
> made my life easier most of the time.
Please read Samba Official HOWTO, chapter 14.
> Now I'm reading through the samba docs, howto's, etc and I am still
> very uncomfortable mapping the windows Administrator account to root.
> I know samba will need to change some things that only root can do. I
> was hoping for something that I could do with sudo. Could I create and
> account called 'joeAdmin', put him in sudoers, then put all the
> commands that joeAdmin would need to run in the sudoers config? That
> seems a more structure way to secure this.
There isn't really anything that would require your legitimate unix
users to be put into sudoers. That information is stored in samba tdb
files and are manipulated using "net".
 
> Secondly, we have possibly more than one administrator account on a
> machine. Can we map multiple windows user names to the root account in
> idmap?
Recent samba releases don't require root account during normal
operation. Parent processes still are being run with uid=0 so there
you go.
> 
> then in smbusermap file 
> root = joeAdmin janeAdmin
> 
> Does this sound reasonable?
You shouldn't have to do this.

HTH,

-- 
Michal Kurowski
perl -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m
m::#;
y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'