I have installed lots of samba 3 servers as PDCs for little networks serving 10 users or so. I have always set up the user "root" as the domain administrator, by setting its group SID to <domainSID>-512 with pdbedit. My "root" user has usually a user SID of <domainSID>-1000 since it is the first user I add to Samba. I have never set up a username map to map "administrator" to "root", I use "root" directly also on Windows boxes when I need to connect as the domain admin (to add workstations to the domain, for example) and I have never had issues. I have no user named "administrator" on the domain. Now I have read in the HOWTO collection that I should set the user SID to <domainSID>-500 for the "administrator" user since this is a predefined default SID. I have found that a NT server uses 500 indeed for its "Administrator" user. First, I'd like to understand why do I need an user with the "500" SID, since I have never had one and still it seems that my "root" user is working. Second, I'd like to know what will happen if I changhe the SID of root from "1000" to "500", now that my workstations already know the user "root" by its old SID. I suppose that generally is definitely NOT a good idea to change a user's SID, because this would make his files on his workstations owned by someone else. Am I right? -- Fabio "Kurgan" Muzzi
Stéphane Purnelle
2005-Jun-04 12:02 UTC
[Samba] UID of the windows Domain Administrator user?
Fabio Muzzi a ?crit :>I have installed lots of samba 3 servers as PDCs for little networks >serving 10 users or so. I have always set up the user "root" as the domain >administrator, by setting its group SID to <domainSID>-512 with pdbedit. >My "root" user has usually a user SID of <domainSID>-1000 since it is the >first user I add to Samba. I have never set up a username map to map >"administrator" to "root", I use "root" directly also on Windows boxes >when I need to connect as the domain admin (to add workstations to the >domain, for example) and I have never had issues. I have no >user named "administrator" on the domain. > >For joining a machine to domain, you must have a user with uid = 0. But, begin with samba 3.0.11, the privileges can be used for use a other user than root (uid = 0) You can read more information in this pages : http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html>Now I have read in the HOWTO collection that I should set the user SID to ><domainSID>-500 for the "administrator" user since this is a predefined >default SID. I have found that a NT server uses 500 indeed for its >"Administrator" user. > >administrator it's the name of a user which have administrator rights like : add user manage ACL install applications in w2k workstation...>First, I'd like to understand why do I need an user with the "500" SID, >since I have never had one and still it seems that my "root" user is >working. > >Second, I'd like to know what will happen if I changhe the SID of root >from "1000" to "500", now that my workstations already know the user >"root" by its old SID. I suppose that generally is definitely NOT a good >idea to change a user's SID, because this would make his files on his >workstations owned by someone else. Am I right? > >The "root" user is only used for that, but after joining a domain, changing the SID cause no problem.> > >Actually, on my network I not enabled privileges (in my test network : yes and that work). But, I use root user only for adding machine to domain, for the rest of administration, I have a administrator user with SID = S-1-5-21-xxxxxx-xxxx-xxxx-500 and groupSID = S-1-5-21-xxxxxx-xxxxx-xxxxx-512 -- St?phane Purnelle <stephane.purnelle@tiscali.be> Site Web : http://www.linuxplusvalue.be
Maybe Matching Threads
- Shares get disconnected and cannot reconnect over VPN
- Grant or deny internet access based on Samba domain logon?
- Default Posix ACLs are ignored when copying files between two directories using Windows (XP)
- rid format in sambaSID
- Questions about mutiple providers