RE: [Samba] Adminstrator Domain SID?
> On Tuesday 29 March 2005 21:57, Doug Campbell wrote: > > In the Samba How-To Chapter 13 it says: > > > > " > > The Administrator Domain SID > > Please note that when configured as a DC, it is now required that an > > account in the server's passdb backend be set to the domain SID of the > > default Administrator account. To obtain the domain SID on a > Samba DC, run > > the following command: > > > > root# net getlocalsid > > SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 > > > > You may assign the Domain Administrator rid to an account using > the pdbedit > > command as shown here: > > > > root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 > -u root -r > > " > > > > > > Question: Is this information still valid after samba 3.0.11? > I didn't do > > this but things seem to be working fine. If the information is still > > valid, what would not having it affect? > > Yes, it is! > > OK. But what is the name of your administrator account? What is > the SID for > this account? I currently only have three user accounts named: Administrator, dcampbell and nobody Both Administrator and dcampbell are in the Domain Admins group. The SIDs are as follows: Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996 dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006 nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998 Domain Admins SID: S-1-5-21-52543480-3766940008-3731351578-512 > You do realize, I hope, that the RID=500 means the account is the > Administrator for Windows clients. Any other RID will be seen by > the Windows > workstation (client) as an account other than the real Administrator. Doesn't the fact that these accounts are in the Domain Admins group make them "real" Administrators too? I seem to have Administrative access to my local machine just by being a member of teh Domain Admins group. Just now, I went ahead and set the Administrators account RID to 500 and removed it entirely for the Domain Admins group. I wasn't able to use it anymore to add a machine. I expected this to be the case since being in the Domain Admins group and having assigned it the new SE...Privilege settings was what was allowing it to administrate the domain. > What more must we do to clarify the wording so that everyone > clearly gets the > message? What is not clear in the documentation? I guess for me it would help to know what doing this step is supposed to accomplish. If I can understand what the purpose of this is, I might be able to help in clarifying the wording. Could you explain this in a little more detail, please? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adminstrator Domain SID?
> On Tuesday 29 March 2005 21:57, Doug Campbell wrote: > > In the Samba How-To Chapter 13 it says: > > > > " > > The Administrator Domain SID > > Please note that when configured as a DC, it is now required that an > > account in the server's passdb backend be set to the domain SID of the > > default Administrator account. To obtain the domain SID on a > Samba DC, run > > the following command: > > > > root# net getlocalsid > > SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 > > > > You may assign the Domain Administrator rid to an account using > the pdbedit > > command as shown here: > > > > root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 > -u root -r > > " > > > > > > Question: Is this information still valid after samba 3.0.11? > I didn't do > > this but things seem to be working fine. If the information is still > > valid, what would not having it affect? > > Yes, it is! > > OK. But what is the name of your administrator account? What is > the SID for > this account? I currently only have three user accounts named: Administrator, dcampbell and nobody Both Administrator and dcampbell are in the Domain Admins group. The SIDs are as follows: Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996 dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006 nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998 Domain Admins SID: S-1-5-21-52543480-3766940008-3731351578-512 > You do realize, I hope, that the RID=500 means the account is the > Administrator for Windows clients. Any other RID will be seen by > the Windows > workstation (client) as an account other than the real Administrator. Doesn't the fact that these accounts are in the Domain Admins group make them "real" Administrators too? I seem to have Administrative access to my local machine just by being a member of teh Domain Admins group. Just now, I went ahead and set the Administrators account RID to 500 and removed it entirely for the Domain Admins group. I wasn't able to use it anymore to add a machine. I expected this to be the case since being in the Domain Admins group and having assigned it the new SE...Privilege settings was what was allowing it to administrate the domain. > What more must we do to clarify the wording so that everyone > clearly gets the > message? What is not clear in the documentation? I guess for me it would help to know what doing this step is supposed to accomplish. If I can understand what the purpose of this is, I might be able to help in clarifying the wording. Could you explain this in a little more detail, please? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adminstrator Domain SID?
On Tuesday 29 March 2005 21:57, Doug Campbell wrote: > In the Samba How-To Chapter 13 it says: > > " > The Administrator Domain SID > Please note that when configured as a DC, it is now required that an > account in the server's passdb backend be set to the domain SID of the > default Administrator account. To obtain the domain SID on a Samba DC, run > the following command: > > root# net getlocalsid > SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 > > You may assign the Domain Administrator rid to an account using the pdbedit > command as shown here: > > root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r > " > > > Question: Is this information still valid after samba 3.0.11? I didn't do > this but things seem to be working fine. If the information is still > valid, what would not having it affect? Yes, it is! OK. But what is the name of your administrator account? What is the SID for this account? You do realize, I hope, that the RID=500 means the account is the Administrator for Windows clients. Any other RID will be seen by the Windows workstation (client) as an account other than the real Administrator. What more must we do to clarify the wording so that everyone clearly gets the message? What is not clear in the documentation? Have fun. :) Cheers, John T. > > BTW, I am using the ldapsam backend. > > Thanks! > > Doug -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
