configuring samba users to join clients to the domain

fdelval · 02-03-2011, 05:30 AM

Hello all,

Im currently using an english book to setup my samba server, and im having problems understanding it.

I explain my problem.

I dont want to use root to join clients to the domain; i prefer creating a plain user.

Ok, so, the steps i follow are:

net groupmap add unixgroup=srvadmins ntgroup="Server Admins"

net groupmap add ntgroup="Domain Admins" unixgroup=dmnadmins rid=512 type=d

net rpc rights grant 'ORA\Server Admins' seMachineAccountPrivilege

This way, i have a group called srvadmins with permissions to join clients, a group called dmnadmins with permissions to manage users and other permissions, and root.

Now, users: "root", "dmnadmin"(from dmnadmins group) and "srvadmin" (from srvadmins group) can add machines to domain.
Root because is root, srvadmin because i granted permissions, and dmnadmin because is admin

So i wonder, why srvadmins group is needed to be granted privileges?

I tryed to lower dmnadmins privileges by revoking semachineaccountprivilege privilege, but didnt worked

net rpc rights revoke 'ORA\Domain Admins' seMachineAccountPrivilege

looks like its privileges comes from another group and it user managed to add a machine to the domain correctly.

Ok, so, is this really usefull? why do i need 3 kind of users to be able to join to the domain?

should i really stick to using root to join clients?

thanks

xeleema · 02-04-2011, 01:49 AM

Greetingz!

Let me make sure I understand your question; You're using an Open Source implementiation of a Microsoft scheme/protocol while struggling with English, and you wonder why you're having problems, correct?

fdelval · 02-04-2011, 02:21 AM

Quote:

Originally Posted by xeleema

Greetingz!

Let me make sure I understand your question; You're using an Open Source implementiation of a Microsoft scheme/protocol while struggling with English, and you wonder why you're having problems, correct?

Well, the problem is about user rights and privileges.

if you say microsoft here is important, then, i should start up by stuying the turing machine to understand my problem.
if english would be a really important problem, then, i shouldnt be posting in an english forum.

Can you help about privileges?

xeleema · 02-04-2011, 03:22 AM

If you're trying to avoid having to run everything as root, and no one is in the "wheel" group, you can do one of two things;

1) Just use "sudo"
2) Use the "wheel" group.

a) First, find out if the wheel group exists with "grep wheel /etc/group". If it does, add your regular user account to that group.
b) Note what groups you're apart of with "id username"
c) Then usermod -g wheel username
d) Confirm that username was added to the "wheel" group by checking the output of "id username" again.
e) Now for any commands you want to use, you'll need to do two things;
i) Set the owner+group to the commands you need "chown root:wheel /usr/bin/somebinary"
ii) Lock-down the permissions to the commands you need "chmod 750 /usr/bin/somebinary"
iii) Flip the SetUID bit on the commands you need "chmod u+s /usr/bin/somebinary"
iv) It should look like this when done;
Code:
-rwsr-x--- 1 root wheel 0 Feb  4 03:17 /usr/bin/somebinary

WARNING: "SetUID" binaries are dangerous, anyone that can run them, will do so with root's effective UID. If you do not know what this means, what "SetUID" is, google/read/lrn2sysadmin first.