Ask the Expert

Admin rights for users in Samba 3.0.0

I am using a RedHat 9.0 file server. I just upgraded to Samba 3.0.0 from 2.2.8 which was just about seamless, except I do not have domain users with Admin rights on Samba 3.0.0 as I did in Samba 2.2.8. Is there a way to give admin rights to certain domain users in Samba 3.0.0 or do all users just have user rights?

    Requires Free Membership to View

As you correctly point out, Samba-3 behaves a little differently than does Samba-2.2.x. That is why it is important to read the Samba-HOWTO-Collection.pdf that ships with Samba-3. You can buy this in hard copy from your local bookstore (or Amazon.Com) as "The Official Samba-3 HOWTO and Reference Guide."

The chapters that are of primary interest in respect of the question you raise are the one covering User Account Databases, and Group Mapping.

By default, if you use your unchanged smb.conf from Samba-2.2.x it should work, but with the change you have noted. The default "passdb backend" is the smbpasswd file that your old installation used.

The one thing you must accomodate is the new group mapping system. You need to map the Domain Users, Domain Admins and Domain Guests groups to valid UNIX groups. Such mapping is essential to proper domain permissions handling.

For example, to map the UNIX group "wheel" to the Windows Domain Admins group you must execute:

net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
There are two ways you can give particular users Domain Administrator privileges:

a) By adding your users to the UNIX group that maps to the Windows Domain Admins group. For example, to grant the user "georgewb" Domain Admin control:

net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
Now add "georgewb" to the wheel group in your /etc/group file.

b) Make use of the "username map" facility. In your smb.conf file [globals] section, add:

username map = /etc/samba/smbusers
In /etc/samba/smbusers:
root = Administrator georgewb
This means the when "georgewb" logs on, he will be the Domain Administrator.

This was first published in November 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: