?icro MEGAS
2014-Oct-27 20:55 UTC
[Samba] Samba4: "MYDOM\Administrator" quite useless on a member
> Comment from Rowland: > [...]an AD user without a uidNumber is merely a windows userHi Rowland, just for my understanding, I have a question. If a domain user in my samba4 AD domain does not have been assigned with a "uid" on the [UNIX Attribute] tab of my ADUC tool, that user in general *cannot* access any of the shares of that particular member server? Is that correct? My [home] and [profile] share resides on my member server, thus I definitely *need* to assign to every domain user a uid so that he will be able to use that shares, right? My other question still exists, it is the same as the topic of this thread :-) As you said one shouldn't assign a uid to the MYDOM\Administrator account (because he looses its special permissions and thus will be converted to a 'normal' UNIX user on the member server), I am still wondering myself: Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use that account for accessing shares on the member server, right? (assuming I didn't have assigned a UID to him, as you suggested). Thanks and greetings, Mirco
Rowland Penny
2014-Oct-27 21:29 UTC
[Samba] Samba4: "MYDOM\Administrator" quite useless on a member
On 27/10/14 20:55, ?icro MEGAS wrote:>> Comment from Rowland: >> [...]an AD user without a uidNumber is merely a windows user > Hi Rowland, > > just for my understanding, I have a question. If a domain user in my samba4 AD domain does not have been assigned with a "uid" on the [UNIX Attribute] tab of my ADUC tool, that user in general *cannot* access any of the shares of that particular member server? Is that correct? My [home] and [profile] share resides on my member server, thus I definitely *need* to assign to every domain user a uid so that he will be able to use that shares, right?It is a bit more complicated than that, if you use a member server as you are doing, then yes, the underlying Unix machine has to know who your windows users are. You can use nlscd, sssd or winbind to do this, now if you use either of the last two, they can be set up in a way that they will be given a uidNumber automatically based on the users RID. If you give your users the required rfc2307 attributes, you can use any of the three and give your users individual home directory paths for instance, something that is not possible without using rfc2307. What I will say is, I think that it is better to use the rfc2307 attributes than not to.> > My other question still exists, it is the same as the topic of this thread :-) As you said one shouldn't assign a uid to the MYDOM\Administrator account (because he looses its special permissions and thus will be converted to a 'normal' UNIX user on the member server), I am still wondering myself: > > Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use that account for accessing shares on the member server, right? (assuming I didn't have assigned a UID to him, as you suggested).This is a valid question and no the 'Administrator' is not useless on a memberserver, you need him (her ??) as a bridge to the root user from windows, this is what the smbmap is for, if you need to do something from windows on a Unix machine that only 'root' can do easily, then do it as 'root' via the smbmap. Just as you wouldn't really do much as the Administrator on windows (well you wouldn't login and run word all day long, for instance), you do not, as a rule, login as root on a Unix machine and carry out day to day operations. Rowland> > Thanks and greetings, > Mirco
?icro MEGAS
2014-Oct-27 21:48 UTC
[Samba] Samba4: "MYDOM\Administrator" quite useless on a m
> It is a bit more complicated than that, if you use a member server as > you are doing, then yes, the underlying Unix machine has to know who > your windows users are. You can use nlscd, sssd or winbind to do this, > now if you use either of the last two, they can be set up in a way that > they will be given a uidNumber automatically based on the users RID. If > you give your users the required rfc2307 attributes, you can use any of > the three and give your users individual home directory paths for > instance, something that is not possible without using rfc2307. What I > will say is, I think that it is better to use the rfc2307 attributes > than not to.Ok, my DC was provisioned with rfc2307 and has the NIS extensions. I am using winbind with "ad" backend on my member server. But it's necessary to assign a uid for every user in ADUC tool, so these users can access my shares on the member server. I hope that's ok like that.> This is a valid question and no the 'Administrator' is not useless on a > memberserver, you need him (her ??) as a bridge to the root user from > windows, this is what the smbmap is for, if you need to do something > from windows on a Unix machine that only 'root' can do easily, then do > it as 'root' via the smbmap. Just as you wouldn't really do much as the > Administrator on windows (well you wouldn't login and run word all day > long, for instance), you do not, as a rule, login as root on a Unix > machine and carry out day to day operations.Out of curiosity: what happens, when I don't use the "smbmap" feauture, but I am logged in as MYDOM\it-admin1 ? That user is member of "Builtin\Domain Admins". The user "it-admin1" can use for example the ADUC tool, create/modify users, and so on... it seems that everything work fine, the only difference to using "smbmap" feauture is that directories or files created with "it-admin1" user have as owner=it-admin1. When I use the smbmap feauture the owner=root. But both work fine, so do one really need smbmap?
Apparently Analagous Threads
- 3rd-party tool for creating users as alternative to ADUC
- roaming profile does not work for "Domain Admins"
- domain user mapped to unix/root via smbmap
- SYSTEM gid=70006 in POSIX ACLs ?
- Samba4: Setting up share/security permissions for shares on member server