This did not work this way for Samba 2.2.x -- it was not good enough to
use "admin users =" to my knowledge. Has this changed, or was I mistaken
to begin with?
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III
|$&| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
On Mon, 27 Dec 2004, Gémes Géza wrote:
Bostjan Müller írta:
On Mon, 27 Dec 2004 15:17:18 +0100, Gémes Géza <[EMAIL PROTECTED]>
wrote:
Bostjan Müller írta:
Hi everyone,
I am trying to create a couple users (not root) who would be in Domain
Admins group, and would have the permissions to add machine to domain.
I can confirm that locally (I used sudo without password) as any of
the users of ntadm group, and each and everyone of them can add a user
to the passwd file.
They are also local admins on NT/200X/XP machines when they log in on
windows side, but neither of them can add a machine to domain via the
windows GUI.
The only user that can do that is the user root.
I have googled a lot, and all I could find was the user has to be
Domain Admin, and he has to have the unix rights to add the machine
account.
Can someone please explain to me what else has to be done for this to
work?
THX in advance,
Bostjan
By design Windows workstations treat users belonging to the Domain
Admins group as Adminstrators (the Domain Admins group become member of
the local Administrators group when the workstation joins the domain).
As Samba needs a posix account for each samba account (even for
workstations), and on *nix only root (uid=0) can create users
(accounts), you need a way to tell samba to threat some users as root.
This is the reason of existance for the admin users smb.conf parameter.
Specify admin users = @domainjoiners in the global section, and members
of the domainjoiners group will be able to create accounts, and do all
the nasty things allowed only to root (add/remove/modify shares/users)
(if you configure them in smb.conf). You can limit their access to
files/folders, by specifying admin users = root on the share definitions.
Good Luck!
Geza
Thx, but I also tried that, and the problem was, that if I added the
users to root line of smbusers:
root = user1, user2, user3
They would all map to user root, even using the same password as root
(not their own) to authenticate, which is of no use to me, because I
want to have users that do NOT have the root password.
--
buhdej evridej
You don't need to do anything with the smbusers file!
Just specify:
admin users = user1, user2, user3
or better:
admin users = @somegroup
in the [Global] section of your smb.conf
and if you are paranoid (like me ;-) )
specify
admin users = root
on every share definition
Cheers,
Geza
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
