Re: [Samba] user == Administrator doesn't work

[Edmundo Valle Neto]

Vadim Vatlin escreveu:
User in group Domain Admins hasnt superuser (Administrator) privileges.
For the first:

shell> adduser poweruser
shell> pdbedit -a -u poweruser
shell> id poweruser
uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser)

shell> net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=poweruser 
type=d
shell> pdbedit -vL poweruser
Unix username:        poweruser
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-464898509-599635920-2875905535-1009
Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-512
Full Name:            poweruser
Home Directory:       \\domain\poweruser
HomeDir Drive:        
Logon Script:         
Profile Path:         \\domain\poweruser\profile
Domain:               DOMAIN
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 24 Oct 2007 15:44:59 MSD 
Password can change:  Wed, 24 Oct 2007 15:44:59 MSD
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


shell> adduser plainuser
shell> pdbedit -a -u plainuser
shell> pdbedit -nL plainuser
[skip]
User SID:             S-1-5-21-464898509-599635920-2875905535-1010
Primary Group SID:    S-1-5-21-464898509-599635920-2875905535-513
[skip]

Now:
1) I login on share as "plainuser" and create folder "222".
2) logout.
3) Login as poweruser, and I cant remove folder "222"
 Permission denied.

Why???
  

You haven't included any information about the permissions on the 
filesystem or how was the share configured. So by what you have 
included... Making a user be called "powersomething" or be included in 
any "Administrator of Whatever" group, or making the RIDs of these 
accounts anything you want, doesn't make them have any special power.

To these accounts be "seen" as such by the clients you put the proper 
RIDs and to these accounts be able to make *some* "administrative tasks" 
you assign privileges.

Theres two places where you can be allowed or denied to do something, 
the system itself and samba. The short answer: probably because your 
filesystem permissions doesn't allow you to do that. Theres only one 
user that can do whatever it wants on a UNIX filesystem, root.


Have you readed the chapter [1] of the samba documentation that explains 
how File, Directory, and Share Access Controls works? Theres a chapter 
that explain what privileges are and do too.

1. 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html


Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba