On Fri, 5 Sep 2003, Rauno Tuul wrote: > Hi, > > Could someone explain, why was parameter "domain admin group" removed from > samba3? > passdb/pdb_ldap got totally rewritten... but why remove an useful > variable...
Because you now have something much more powerful that provides real NT Groups to your NT/200x/XP clients. Here are the basic steps: 1. Add a UNIX group account that will be mapped to the NT Domain Admins global group: groupadd ntadmins 2. Now add the UNIX users who should be a member of the NT Domain Admins group to the UNIX ntadmins account: a) You can edit /etc/group so that the ntadmins entry looks like: ntadmins:x:543:maryo,willy,billg -OR- b) Use the system toolset to do this by: usermod -G ntadmins maryo usermod -G ntadmins willy usermod -G ntadmins billg 3. Now map the UNIX group to the NT Domain Admins group: net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins 4. Done. Hope this helps! IT is covered in the Samba-HOWTO-Collection.pdf file that is included with Samba-3 in the docs directory. Let me know if we missed anything! :) - John T. > > # Removed Parameters (order alphabetically): > # * domain admin group > In 2.2.8 (with LDAP backend) I defined > domain admin group = @"Domain Admins" > and added several users to that group for creating machine accounts. I > worked and well. Users in that group didn't have root permissions, but were > able to add new accounts. > > But what I do in samba3? > > # add machine script - will be run by smbd(8) > # when a machine is added to it's domain using > # the administrator username and password method". > > I made an custom script, based on idealx useradd script and added some lines > for working with LAM (http://lam.sf.net). > Problem is, how can this script be used by others, who need to add machine > accounts... > Am I correct, that samba assumes "administrator username = root" ???? > > # admin users - list of users who will be granted administrative > # privileges on the share. This means that they will do all > # file operations as the super-user (root)". > > Defining several people to be "admin users", isn't also the right solution, > cause they get too high privileges. On shares and file access. I used it and > managed to add new machine account... For samba I was "logged in as admin > user (root privileges)". > > # The name of the account that is used to create domain member > # machine accounts can be anything the network administrator > # may choose. If it is other than root then this is easily > # mapped to root using the file pointed to be the smb.conf > # parameter username map = /etc/samba/smbusers." > > Doesn't that make exatly the same as listing users as admin users? Basically > will samba recognize that "anything" as "admin user (root privileges)" or > not? > > Any recommendations? solutions? > > Regards, > > Rauno Tuul > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba