Admin rights for users in Samba 3.0.0

Admin rights for users in Samba 3.0.0

I am using a RedHat 9.0 file server. I just upgraded to Samba 3.0.0 from 2.2.8 which was just about seamless, except I do not have domain users with Admin rights on Samba 3.0.0 as I did in Samba 2.2.8. Is there a way to give admin rights to certain domain users in Samba 3.0.0 or do all users just have user rights?

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you resources covering Linux administration and management; integration and interoperability between Linux, Windows and Unix; securing Linux and mixed-platform environments; and migrating to Linux.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseLinux.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseLinux.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

As you correctly point out, Samba-3 behaves a little differently than does Samba-2.2.x. That is why it is important to read the Samba-HOWTO-Collection.pdf that ships with Samba-3. You can buy this in hard copy from your local bookstore (or Amazon.Com) as "The Official Samba-3 HOWTO and Reference Guide."

The chapters that are of primary interest in respect of the question you raise are the one covering User Account Databases, and Group Mapping.

By default, if you use your unchanged smb.conf from Samba-2.2.x it should work, but with the change you have noted. The default "passdb backend" is the smbpasswd file that your old installation used.

The one thing you must accomodate is the new group mapping system. You need to map the Domain Users, Domain Admins and Domain Guests groups to valid UNIX groups. Such mapping is essential to proper domain permissions handling.

For example, to map the UNIX group "wheel" to the Windows Domain Admins group you must execute: 

net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
There are two ways you can give particular users Domain Administrator privileges:

a) By adding your users to the UNIX group that maps to the Windows Domain Admins group. For example, to grant the user "georgewb" Domain Admin control: 

net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
Now add "georgewb" to the wheel group in your /etc/group file.

b) Make use of the "username map" facility. In your smb.conf file [globals] section, add: 

username map = /etc/samba/smbusers
In /etc/samba/smbusers: 
root = Administrator georgewb
This means the when "georgewb" logs on, he will be the Domain Administrator.

This was first published in November 2003