Hi Andrey, 2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:> Greetings, Davor Vusir! > >>> Hi, there are two separate points of view here, map 'Administrator' to the >>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then >>> 'Administrator' can change directory settings on a Unix machine from windows >>> (profiles dir, file share dirs etc) without any problem. If you give >>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and >>> will need to be given the rights to change ownership and mode of >>> directories. >>> > >> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain >> Admins' member of the servers Administrators group during domain join. >> If you, as a member of 'SERVER\Administrators' choose to remove the >> Domain Admins is, of course, perfectly valid. As is making a domain >> user account member of the servers administrators group. Or removing >> from selected group. So in a sense one could say that >> 'DOMAIN\Administrator' is just another Windows/Unix user. > >> When Samba is set up as a file and/or printserver, you have to make >> Unix aware of which domain user account/group that will have got >> extraordinary rights. As you write. > >> Maybe one should change views and look at the Unix/Samba complex as a >> virtual host where one of its guests is a file server that owns its >> playground, the file system it shares. The guest, Samba, utilizes Unix >> for its purpose. In that case Samba is contained and >> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain >> accounts and groups should have their uid-/gidNumber set. > > # visudo -f /etc/sudoers.d/domain > # Members of the "domain admins" group may do about anything. > # And rightfully so. > %domain\x20admins ALL=(ALL:ALL) ALL > > Apply liberally, where it is warranted. >If there is a need to grant selected domain users elevated rights on the Linux host. In this case root privilieges. This is one way of doing it. Rowland mentioned another.> But to the thoughts train, every user is just one user. > Mapping user to other user is creating a mess you don't want to solve > yourself. >Maybe so. I was merely trying to express a different view. Where Samba is somewhat selfcontained and uses the Linuxhost as a vessel for its purpose; file sharing for Windows. With that in mind, Rowland is right when he sais that the domain adminstrator account becomes an ordinary Unix user on the Linux host. For Samba its good enough. Regards Davor> > -- > With best regards, > Andrey Repin > Sunday, April 19, 2015 01:11:07 > > Sorry for my terrible english... >
On 19/04/15 06:53, Davor Vusir wrote:> Hi Andrey, > > 2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>: >> Greetings, Davor Vusir! >> >>>> Hi, there are two separate points of view here, map 'Administrator' to the >>>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then >>>> 'Administrator' can change directory settings on a Unix machine from windows >>>> (profiles dir, file share dirs etc) without any problem. If you give >>>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and >>>> will need to be given the rights to change ownership and mode of >>>> directories. >>>> >>> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain >>> Admins' member of the servers Administrators group during domain join. >>> If you, as a member of 'SERVER\Administrators' choose to remove the >>> Domain Admins is, of course, perfectly valid. As is making a domain >>> user account member of the servers administrators group. Or removing >>> from selected group. So in a sense one could say that >>> 'DOMAIN\Administrator' is just another Windows/Unix user. >>> When Samba is set up as a file and/or printserver, you have to make >>> Unix aware of which domain user account/group that will have got >>> extraordinary rights. As you write. >>> Maybe one should change views and look at the Unix/Samba complex as a >>> virtual host where one of its guests is a file server that owns its >>> playground, the file system it shares. The guest, Samba, utilizes Unix >>> for its purpose. In that case Samba is contained and >>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain >>> accounts and groups should have their uid-/gidNumber set. >> # visudo -f /etc/sudoers.d/domain >> # Members of the "domain admins" group may do about anything. >> # And rightfully so. >> %domain\x20admins ALL=(ALL:ALL) ALL >> >> Apply liberally, where it is warranted. >> > If there is a need to grant selected domain users elevated rights on > the Linux host. In this case root privilieges. This is one way of > doing it. Rowland mentioned another. > >> But to the thoughts train, every user is just one user. >> Mapping user to other user is creating a mess you don't want to solve >> yourself. >> > Maybe so. I was merely trying to express a different view. Where Samba > is somewhat selfcontained and uses the Linuxhost as a vessel for its > purpose; file sharing for Windows. With that in mind, Rowland is right > when he sais that the domain adminstrator account becomes an ordinary > Unix user on the Linux host. For Samba its good enough. > > Regards > Davor >I was just pointing out that there is two ways of going about this, I did not give any preference for either. I can see good points in both ways, there are also bad points in both, so at the moment I am pretty much sitting on the fence. The sysadmin must make a choice, but which ever is chosen, must be used alone, you shouldn't mix them. Rowland
2015-04-19 9:46 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 19/04/15 06:53, Davor Vusir wrote: >> >> Hi Andrey, >> >> 2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>: >>> >>> Greetings, Davor Vusir! >>> >>>>> Hi, there are two separate points of view here, map 'Administrator' to >>>>> the >>>>> 'root' user, or give 'Administrator' a uidNumber. If you do the first >>>>> then >>>>> 'Administrator' can change directory settings on a Unix machine from >>>>> windows >>>>> (profiles dir, file share dirs etc) without any problem. If you give >>>>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user >>>>> and >>>>> will need to be given the rights to change ownership and mode of >>>>> directories. >>>>> >>>> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain >>>> Admins' member of the servers Administrators group during domain join. >>>> If you, as a member of 'SERVER\Administrators' choose to remove the >>>> Domain Admins is, of course, perfectly valid. As is making a domain >>>> user account member of the servers administrators group. Or removing >>>> from selected group. So in a sense one could say that >>>> 'DOMAIN\Administrator' is just another Windows/Unix user. >>>> When Samba is set up as a file and/or printserver, you have to make >>>> Unix aware of which domain user account/group that will have got >>>> extraordinary rights. As you write. >>>> Maybe one should change views and look at the Unix/Samba complex as a >>>> virtual host where one of its guests is a file server that owns its >>>> playground, the file system it shares. The guest, Samba, utilizes Unix >>>> for its purpose. In that case Samba is contained and >>>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain >>>> accounts and groups should have their uid-/gidNumber set. >>> >>> # visudo -f /etc/sudoers.d/domain >>> # Members of the "domain admins" group may do about anything. >>> # And rightfully so. >>> %domain\x20admins ALL=(ALL:ALL) ALL >>> >>> Apply liberally, where it is warranted. >>> >> If there is a need to grant selected domain users elevated rights on >> the Linux host. In this case root privilieges. This is one way of >> doing it. Rowland mentioned another. >> >>> But to the thoughts train, every user is just one user. >>> Mapping user to other user is creating a mess you don't want to solve >>> yourself. >>> >> Maybe so. I was merely trying to express a different view. Where Samba >> is somewhat selfcontained and uses the Linuxhost as a vessel for its >> purpose; file sharing for Windows. With that in mind, Rowland is right >> when he sais that the domain adminstrator account becomes an ordinary >> Unix user on the Linux host. For Samba its good enough. >> >> Regards >> Davor >> > > I was just pointing out that there is two ways of going about this, I did > not give any preference for either. I can see good points in both ways, > there are also bad points in both, so at the moment I am pretty much sitting > on the fence. >Shortly after sending the mail I realized that I was speaking on your behalf. That was not my intention. My apologies. Regas Davor> The sysadmin must make a choice, but which ever is chosen, must be used > alone, you shouldn't mix them. > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba