I just got Samba + LDAP up and running as a PDC. If I list the users in
the LDAP directory with pdbedit -L I see:
root:0:test
nobody:99:nobody
aster$:1001:Computer
toast$:1002:TOAST$
fordprefect:1003:Test Account
Shouldn't there be an Administrator account and no root? I don't want my
Linux root account even remotely confused or associated with a
Samba/LDAP account. Any ideas?
--
*Jason Baker
*/IT Coordinator/
*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>
Does use root in ldap without a shell help you? On 1/16/07, Jason Baker <jbaker@glastender.com> wrote:> I just got Samba + LDAP up and running as a PDC. If I list the users in > the LDAP directory with pdbedit -L I see: > > root:0:test > nobody:99:nobody > aster$:1001:Computer > toast$:1002:TOAST$ > fordprefect:1003:Test Account > > Shouldn't there be an Administrator account and no root? I don't want my > Linux root account even remotely confused or associated with a > Samba/LDAP account. Any ideas? > -- > > *Jason Baker > */IT Coordinator/ > > > *Glastender Inc.* > 5400 North Michigan Road > Saginaw, Michigan 48604 USA > 800.748.0423 > Phone: 989.752.4275 ext. 228 > Fax: 989.752.4444 > www.glastender.com <http://www.glastender.com> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- *** Cleber P. de Souza
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/16/2007 06:29 PM, Jason Baker escreveu:> I just got Samba + LDAP up and running as a PDC. If I list the users in > the LDAP directory with pdbedit -L I see: > > root:0:test > nobody:99:nobody > aster$:1001:Computer > toast$:1002:TOAST$ > fordprefect:1003:Test Account > > Shouldn't there be an Administrator account and no root? I don't want my > Linux root account even remotely confused or associated with a > Samba/LDAP account. Any ideas?It depends on how you configured your LDAP. After Samba 3.0.14 you can have a normal user account with Domain Administrator powers, which includes adding machines to the domain and other privileges, using 'net groupmap'. So you can an account as the LDAP administrator, another account as your Samba Administrator and your regular root account. It's up to you. ;) Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFrk6TCj65ZxU4gPQRAuG9AKCpPWSJtkNeZ/DkiTrsDNH/6UBhBACbBeqy bspDz6Un93BmLl5uSgMxSFs=98lT -----END PGP SIGNATURE-----
> I just got Samba + LDAP up and running as a PDC. If I list the users in > the LDAP directory with pdbedit -L I see: > > root:0:test > nobody:99:nobody > aster$:1001:Computer > toast$:1002:TOAST$ > fordprefect:1003:Test Account > > Shouldn't there be an Administrator account and no root? I don't want my > Linux root account even remotely confused or associated with a > Samba/LDAP account. Any ideas?It depends on how you configured your LDAP. After Samba 3.0.14 you can have a normal user account with Domain Administrator powers, which includes adding machines to the domain and other privileges, using 'net groupmap'. So you can an account as the LDAP administrator, another account as your Samba Administrator and your regular root account. It's up to you. ;) *--------- But don't you need a Samba account with UID=0 to assign privileges in the first place? Ryan -------------- next part -------------- ------------------------------------------------- This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. ---------------------------------------------------------
>> After Samba 3.0.14 you can have a normal user account with >> Domain Administrator powers, which includes adding machines to the >> domain and other privileges, using 'net groupmap'. >> >> So you can an account as the LDAP administrator, another >> account as your Samba Administrator and your regular root account. >> It's up to you. ;) > > But don't you need a Samba account with UID=0 to assign privileges > in the first place?Not anymore. ;) Is priv assignment limited to accounts whose sambaPrimaryGroupSID has RID 512, or is simply having the account name listed as a member in the group definition enough? Wow, that was poorly written... I'm assuming that this guy will be able to assign privs: # domain admin user uid: user sambaPrimaryGroupSid: S-*-512 How about user2? # domain admins group cn: dom_adms sambaSID: S-*-512 memberUID: user2 -------------- next part -------------- ------------------------------------------------- This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. ---------------------------------------------------------