Zendal Darkman
2019-Mar-14 23:45 UTC
[Samba] Just stop it with the "Domain Admins" nonsense
Its littered throughout the docs eg.. https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs At best its *poor practice* which should not be frowned upon, but it just shows a real disconnect with real world users and systems, where admins are not "Domain Admins".
Rowland Penny
2019-Mar-15 09:11 UTC
[Samba] Just stop it with the "Domain Admins" nonsense
On Thu, 14 Mar 2019 23:45:28 +0000 Zendal Darkman via samba <samba at lists.samba.org> wrote:> Its littered throughout the docs eg.. > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsCannot argue with that statement ;-)> > At best its *poor practice* which should not be frowned upon, but it > just shows a real disconnect with real world users and systems, where > admins are not "Domain Admins".It is also 'poor practise' to criticise something in the way you have, without suggesting the 'best practise'. You suggest something and if it is reasonable, I will update the wiki. Rowland
Rowland Penny
2019-Mar-15 12:20 UTC
[Samba] Just stop it with the "Domain Admins" nonsense
On Fri, 15 Mar 2019 11:57:19 +0000 Zendal Darkman <zendal.darkman at gmail.com> wrote:> Actually it is okay to criticise without giving a solution, if > alternate action is evident.It obviously isn't evident, or the wiki wouldn't have been written in the way it is.>HOWEVER, "upon reflection" the tone of the message was wrong, and I >apologise for it.Apology accepted ;-)>I acknowledge the > great work the people in this list do, and you deserve thanks, not > flippancy. I would suggest that for large organisations using "domain > admin" accounts for day to day configuring/administering on member > servers is not common. Usually a local admin would be used, or more > commonly a domain user account is given admin privileges.A local admin wouldn't be able to administrate anything in the domain, because they wouldn't be a domain user. I thought the whole idea behind the Domain Admins group was it is a group to add users to give them admin rights, or am I missing something ? You could also use 'Administrators' in the same way.> > The user.map can be used !root = SAMDOM\<user1> & net rpc rights grant > "SAMDOM\<user1>" SeDiskOperatorPrivilege -U "SAMDOM\<user1>" (I grant > it to a user rather than group, which I admit is not ideal)You are also using it wrong, it should (in my opinion) only map Administrator to root, not spurious users to root.> However when I did that I did get some errors not being able to read > to the security tab (because user1 was mapping to root???), I had to > use a second account (user2) with sediskoperatorpriveleges, for > things to work. (Perhaps I should have removed user.map?)No, just use it correctly.> > As I type I am extremely conscious I could be wrong and demonstrating > my ignorance, which causes further embarrassment to me. I am not a > "linux" person but am called on by the supposed linux admins to do > their job and use my admin account at 11pm at night to fix a broken > domain membership .... "-u SAMDOM\admin" (they have rights to add > machines to an OU, and cant be bothered to "man net").Even easier, 'net help ads join' produces amongst its output, this: createcomputer=OU Precreate the computer account in a specific OU. The OU string read from top to bottom without RDNs and delimited by a '/'. E.g. "createcomputer=Computers/Servers/Unix" NB: A backslash '\' is used as escape at multiple levels and may need to be doubled or even quadrupled. It is not used as a separator. I don't really see any reason here to alter the wiki, perhaps Louis has further thoughts, he knows more about Windows than I do. Rowland
Possibly Parallel Threads
- Just stop it with the "Domain Admins" nonsense
- Windows clients keep losing connections (FQDN and hostname)
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password