samba - Sep 2006 - Allowing Domain Admins root access

Hi,

We have a Windows Domain and a few Linux boxes on which we have installed Samba
and set them up so people can log in using their
windows domain logins using winbind etc.

All is working fine EXCPECT for the group memberships.

I have a windows user who is a member of the "Domain Admins" group and
I want them to have root privilegdes on the UNIX box.

I added a group mapping using the command net groupmap add ntgroup="Domain
Admins" unixgroup=root type=d but that just added another
group called "Domain admins" which could be seen by running

[root@xxx ~]# net groupmap list | grep Domain 
Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-1001) -> root 
Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> -1 
Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1

so I tried
net groupmap set "Domain Admins" "root" -D which was better
and gave the output
Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> root 
Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1

But any users that are in the "Domain Admins" group do not get root
prviledges when logging into the unix box

Is what I am doing supported i.e. is that what group mappings are for?

Phil.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2006 01:31 PM, Phil Marsden escreveu:
> Hi,
Hey!

> We have a Windows Domain and a few Linux boxes on which we 
> have installed Samba and set them up so people can log in
> using their windows domain logins using winbind etc.
> 
> All is working fine EXCPECT for the group memberships.
> 
> I have a windows user who is a member of the "Domain Admins" 
> group and I want them to have root privilegdes on the UNIX
> box.
> 
> I added a group mapping using the command net groupmap add 
> ntgroup="Domain Admins" unixgroup=root type=d but that just
> added another group called "Domain admins" which could be
> seen by running
> 
> [root@xxx ~]# net groupmap list | grep Domain 
> Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-1001) -> root 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> -1 
> Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1
> 
> so I tried
> net groupmap set "Domain Admins" "root" -D which was
better and gave the output
> Domain Users (S-1-5-21-2057633969-1929386834-1244778803-513) -> -1 
> Domain Admins (S-1-5-21-2057633969-1929386834-1244778803-512) -> root 
> Domain Guests (S-1-5-21-2057633969-1929386834-1244778803-514) -> -1
> 
> But any users that are in the "Domain Admins" group do not 
> get root prviledges when logging into the unix box
	In fact, they have "root group privileges", it does
not mean that they would be able to execute commands as root
(root user) but they have access to files with root group
owner (of course, also the executables one).

> Is what I am doing supported i.e. is that what group mappings 
> are for?
	Not exactly, groupmaps are a way to have Windows groups
mapped to UNIX groups. Take a look at the Official HOWTO, I
whink it would help you. :-)

http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

> Phil.
	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFIm6eCj65ZxU4gPQRAmWFAJ98FIQSOxwc4Rf2PqXJApccWaRFrwCfezRE
yQ3mQV4tJgeBMdIYXRtzF7E=5TrL
-----END PGP SIGNATURE-----