samba - Jun 2005 - UID of the windows Domain Administrator user?

I  have  installed  lots  of  samba  3 servers as PDCs for little networks
serving 10 users or so. I have always set up the user "root" as the
domain
administrator,  by  setting its group SID to <domainSID>-512 with pdbedit.
My  "root" user has usually a user SID of <domainSID>-1000 since
it is the
first  user  I  add  to  Samba.  I have never set up a username map to map
"administrator"  to  "root",  I  use "root"
directly also on Windows boxes
when  I  need  to  connect as the domain admin (to add workstations to the
domain,   for   example)   and  I  have  never  had  issues.  I  have  no
user named "administrator" on the domain.

Now  I have read in the HOWTO collection that I should set the user SID to
<domainSID>-500  for  the  "administrator" user since this is a
predefined
default  SID.  I  have  found  that  a  NT  server uses 500 indeed for its
"Administrator" user.

First,  I'd  like  to understand why do I need an user with the
"500" SID,
since  I  have  never  had  one  and still it seems that my "root"
user is
working.

Second,  I'd  like  to  know what will happen if I changhe the SID of root
from  "1000"  to  "500",  now  that  my workstations already
know the user
"root"  by  its old SID. I suppose that generally is definitely NOT a
good
idea  to  change  a  user's  SID, because this would make his files on his
workstations owned by someone else. Am I right?


-- 

  Fabio "Kurgan" Muzzi

Fabio Muzzi a ?crit :
>I  have  installed  lots  of  samba  3 servers as PDCs for little networks
>serving 10 users or so. I have always set up the user "root" as
the domain
>administrator,  by  setting its group SID to <domainSID>-512 with
pdbedit.
>My  "root" user has usually a user SID of <domainSID>-1000
since it is the
>first  user  I  add  to  Samba.  I have never set up a username map to map
>"administrator"  to  "root",  I  use "root"
directly also on Windows boxes
>when  I  need  to  connect as the domain admin (to add workstations to the
>domain,   for   example)   and  I  have  never  had  issues.  I  have  no
>user named "administrator" on the domain.
>  
>
For joining a machine to domain, you must have a user with uid = 0.
But, begin with samba 3.0.11, the privileges can be used for use a other 
user than root (uid = 0)
You can read more information in this pages : 
http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
>Now  I have read in the HOWTO collection that I should set the user SID to
><domainSID>-500  for  the  "administrator" user since this
is a predefined
>default  SID.  I  have  found  that  a  NT  server uses 500 indeed for its
>"Administrator" user.
>  
>
administrator it's the name of a user which have administrator rights like :
add user
manage ACL
install applications in w2k workstation...
>First,  I'd  like  to understand why do I need an user with the
"500" SID,
>since  I  have  never  had  one  and still it seems that my "root"
user is
>working.
>
>Second,  I'd  like  to  know what will happen if I changhe the SID of
root
>from  "1000"  to  "500",  now  that  my workstations
already know the user
>"root"  by  its old SID. I suppose that generally is definitely
NOT a good
>idea  to  change  a  user's  SID, because this would make his files on
his
>workstations owned by someone else. Am I right?
>  
>
The "root" user is only used for that, but after joining a domain, 
changing the SID cause no problem.
>
>  
>
Actually, on my network I not enabled privileges (in my test network : 
yes and that work).
But, I use root user only for adding machine to domain, for the rest of 
administration, I have
a administrator user with SID = S-1-5-21-xxxxxx-xxxx-xxxx-500 and 
groupSID = S-1-5-21-xxxxxx-xxxxx-xxxxx-512

-- 
St?phane Purnelle <stephane.purnelle@tiscali.be>
Site Web : http://www.linuxplusvalue.be