samba as domain controller

paul_mat · 02-13-2005, 04:14 AM

hi there i'm currently running samba as a domain controller and it's working great, but i want to be able to create administrator's that can install software and do other administrative jobs, now the root user dose this prefectly, i was wondering if anyone knows how to create another user with the same privileges as root? or if it's even possable?

my second question is i have mapped home drives in my smb.conf file and i've tryed a few different things but i can't seam to be able to make it so that only one person can view the share, this is my share in the smb.conf file:

[homes]
read only = no
browsable = no
valid users = %U
force user = %U
path = /home/%U
writeable = yes
create mode = 0600
create directory = 0700
comment = User home drive's

and this is how it is mapped

logon drive = m:
logon home = \\home\%U

i want only the user that is logged in to be able to access his own share

at the moment i can map into other user's home file

also one other thing i want to be able to map another drive, but no security on it and i was just wondering if someone could help me out there and tell me how to do that in the smb.conf file

DoubleOTeC · 02-13-2005, 02:48 PM

re domain admins:

A directive such as:
domain admin users = johndoe
should work...

Another option
http://expertanswercenter.techtarget...972546,00.html

RE "mapping with no security"

I suppose that would be like mapping a public folder?

when you map another users home dir..can you read from or write to it?

paul_mat · 02-13-2005, 05:39 PM

hi thanks for that
i'll look into it, but i'm still trying to find out if you can have more than one user with root priviliges

DoubleOTeC · 02-13-2005, 07:30 PM

I think root is unique, as apps check the UID of the user, root is 0...can't change that.

I think...correct me if I'm wrong.

U can chck out sudo if you want to create powerful users who can temporarily gain root status

hope this helps...

demerson3 · 02-13-2005, 11:15 PM

More than one user with root privileges?

Seems like what you really ought to do is give these other users more privileges, though not necessarily root privileges.

Here are a few things to look into:

1. Decide which groups these privileged users need to belong to, and make them members of those groups. (this is easier said than done; most of the problem is figuring out which group membership gives you the particular type of access you want.)

2. Read up on the "primary group". If you want a situation similar to having several root users, then you'll want these privileged members to be members of the group which is the root user's primary group. For now, I'll call it admingroup. So root's primary group is admingroup, and privileged users are members of admingroup.

3. Also read up on umask - the default file creation mask - and set root user's umask to something appropriate, like 002. 002 would give the root user, as well as the admingroup members, full privileges (read/write/execute) of any file that root creates. With 002, users who are not members of admingroup would not have write privileges. Of course, there are certain files that root will want to chmod g-w (e.g. passwd and smbpasswd)

4. I don't know what your setup is, but if you have several people who you want to allow root privilege to... these people should probably have a second admin login. You don't generally want to be using your system with lots of privileges; you should only login to the privileged account when you want to do sysadmin stuff. And, ya see, since you should be doing it that way, there's not a whole lot of need to have multiple privileged accounts -- you should just give your privileged users the root password (assuming you trust them) and have them login as root when they need to do that work. Or set up one privileged user as I've described, and give your sysadmins access to that one privileged account.

Hope this helps...
~David