Friday, January 23, 2004
Delgating Admin access
You can map the "Domain Admins" SID in samba 3.0 to any unixgroup, and grant a Samba domain account admin access on any domain member machine. However, this account will not be able to add machines to the domain (or reset passwords, or other domain database functions.) Basically the account get's the privleged domain admin's SID, which the workstation recognizes, and grants the user full access to the machine. But domain admin tasks couldn't be done from windows workstations.
At the other end, you can sudo the administrative commands (pdbedit, net) to users - and they could add and remove accounts from an ssh session without being privledged Unix users.
But, to grant a user full access to the domain from the Windows side, without giving them permission to wreak havoc on the Unix side, about the best you could do is to make a local unix account on the samba PDC, give it a uid of zero, but then not reveal the password to them. In otherwords, the samba domain account password is out of synch with the unix password.
You can map the "Domain Admins" SID in samba 3.0 to any unixgroup, and grant a Samba domain account admin access on any domain member machine. However, this account will not be able to add machines to the domain (or reset passwords, or other domain database functions.) Basically the account get's the privleged domain admin's SID, which the workstation recognizes, and grants the user full access to the machine. But domain admin tasks couldn't be done from windows workstations.
At the other end, you can sudo the administrative commands (pdbedit, net) to users - and they could add and remove accounts from an ssh session without being privledged Unix users.
But, to grant a user full access to the domain from the Windows side, without giving them permission to wreak havoc on the Unix side, about the best you could do is to make a local unix account on the samba PDC, give it a uid of zero, but then not reveal the password to them. In otherwords, the samba domain account password is out of synch with the unix password.
