Torsten
2007-Oct-11 09:17 UTC
[Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?
Hi,
I have setup samba+ldap an almost everything went well, accept the fact,
that there was no administrative account from the beginning. So I just
created one using smbldap-useradd.
samba-pdc:~# /usr/sbin/smbldap-usershow administrator
dn: uid=administrator,ou=Users,dc=rhhu,dc=local
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: administrator
sn: administrator
givenName: administrator
uid: administrator
uidNumber: 1004
gidNumber: 513
homeDirectory: /home/administrator
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaSID: S-1-5-21-55810726-2383910042-1397420801-3008
sambaPrimaryGroupSID: S-1-5-21-55810726-2383910042-1397420801-513
sambaLogonScript: logon.bat
sambaHomeDrive: Z:
sambaLMPassword: 79A0A158A100C04D902139606B6D16B5
sambaAcctFlags: [U]
sambaNTPassword: 6261BD5C725F9795FC7E84DA0350FA29
sambaPwdLastSet: 1187341118
sambaPwdMustChange: 1191229118
userPassword: {MD5}0/ECsVoPmE2fvVgfBQguZg=
samba-pdc:~# /usr/sbin/smbldap-groupshow "Domain Admins"
dn: cn=Domain Admins,ou=Groups,dc=rhhu,dc=local
objectClass: top,posixGroup,sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root,Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-55810726-2383910042-1397420801-512
sambaGroupType: 2
displayName: Domain Admins
So, administrator is member of Domain Admins. I suppose the problem lies
within the primary group membership of that account, but I have no clue
how to change the sid.
What would be a practicable solution? Thanks.
Regards, Torsten
Frank Van Damme
2007-Oct-11 09:28 UTC
[Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?
On 10/11/07, Torsten <heinzelrumpel@gmx.de> wrote:> Hi, > > I have setup samba+ldap an almost everything went well, accept the fact, > that there was no administrative account from the beginning. So I just > created one using smbldap-useradd. > > samba-pdc:~# /usr/sbin/smbldap-usershow administrator > dn: uid=administrator,ou=Users,dc=rhhu,dc=local > objectClass: > top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount > cn: administrator > sn: administrator > givenName: administrator > uid: administrator > uidNumber: 1004 > gidNumber: 513*SNIP*> So, administrator is member of Domain Admins. I suppose the problem lies > within the primary group membership of that account, but I have no clue > how to change the sid. > > What would be a practicable solution? Thanks. > > Regards, TorstenYou problem is that the account does not have uid number 0. If it has, it has a root account on your unix box and you're all set. -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet?
adrian sender
2007-Oct-11 13:25 UTC
[Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?
This may be what you are looking for..
net rpc rights to manage privileges assigned to SIDs
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id364647
root# net rpc rights list -U root%not24get
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk shares
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeTakeOwnershipPrivilege Take ownership of files or other objects
All in the docs.
Adrian Sender
>>
> email message attachment
>> -------- Forwarded Message --------
>> From: Torsten
>> To: samba@lists.samba.org
>> Subject: [Samba] SAMBA+LDAP-How to promote Administrator with all
>> priviliges?
>> Date: Thu, 11 Oct 2007 11:15:59 +0200
>>
>> Hi,
>>
>> I have setup samba+ldap an almost everything went well, accept the
fact,
>> that there was no administrative account from the beginning. So I just
>> created one using smbldap-useradd.
>>
>> samba-pdc:~# /usr/sbin/smbldap-usershow administrator
>> dn: uid=administrator,ou=Users,dc=rhhu,dc=local
>> objectClass:
>>
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
>> cn: administrator
>> sn: administrator
>> givenName: administrator
>> uid: administrator
>> uidNumber: 1004
>> gidNumber: 513
>> homeDirectory: /home/administrator
>> loginShell: /bin/bash
>> gecos: System User
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> sambaSID: S-1-5-21-55810726-2383910042-1397420801-3008
>> sambaPrimaryGroupSID: S-1-5-21-55810726-2383910042-1397420801-513
>> sambaLogonScript: logon.bat
>> sambaHomeDrive: Z:
>> sambaLMPassword: 79A0A158A100C04D902139606B6D16B5
>> sambaAcctFlags: [U]
>> sambaNTPassword: 6261BD5C725F9795FC7E84DA0350FA29
>> sambaPwdLastSet: 1187341118
>> sambaPwdMustChange: 1191229118
>> userPassword: {MD5}0/ECsVoPmE2fvVgfBQguZg=>>
>> samba-pdc:~# /usr/sbin/smbldap-groupshow "Domain Admins"
>> dn: cn=Domain Admins,ou=Groups,dc=rhhu,dc=local
>> objectClass: top,posixGroup,sambaGroupMapping
>> gidNumber: 512
>> cn: Domain Admins
>> memberUid: root,Administrator
>> description: Netbios Domain Administrators
>> sambaSID: S-1-5-21-55810726-2383910042-1397420801-512
>> sambaGroupType: 2
>> displayName: Domain Admins
>>
>> So, administrator is member of Domain Admins. I suppose the problem
lies
>> within the primary group membership of that account, but I have no clue
>> how to change the sid.
>>
>> What would be a practicable solution? Thanks.
>>
>> Regards, Torsten
>>
_________________________________________________________________
Your Future Starts Here. Dream it? Then be it! Find it at www.seek.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Ahet%3Ask%3Anine%3A0%3Ahot%3Atext&_t=764565661&_r=OCT07_endtext_Future&_m=EXT