Topic: Samba admin rights on SME

[rosie]

To maintain the primary web-site I always login on the SME Server through my Win XP client as admin using the standard Samba SME setup. I want to grant admin rights to be able to read and write in all the other users folders. How do I do that? Thanks!

[guestHH]

Hi,

Try winscp.: http://winscp.vse.cz/eng/

Install it on your client computer and connect to your SME server as root.

Regards,
guestHH

[J Price]

WinSCP will work fine.  However, I still would like to know if you can create domain-groups and have group rights/permissions inherited by members of the group like NT/W2k can.  Is this possible?

So far, in order to grant admin access to a W2K Pro machine I have had to make the domain user a memeber of the local machine's administrator group.  But with a NT,W2K domain controller you do not have to do this.

Thanks,

James

[Greg Zartman]

This solution requires the creation of a custom template fragment for the Samba configuration file, smb.conf.

1.  Terminal into your SME server and login as root.

2.  [root@sme5 /root]# pico /etc/e-smith/templates-custom/etc/smb.conf/11domainAdminGroup.

3.  Paste, or type, the following into the 11domainAdminGroup text document.  Don't forget the leading and trailing braces!!

{
# ------------------
# 11domainAdminGroup
# ------------------
# This parameter is intended as a temporary solution to enable
# users to be a member of the "Domain Admins" group when a Samba
# host is acting as a PDC. A complete solution will be provided
# by a system for mapping Windows NT/2000 groups onto UNIX groups.
# Please note that this parameter has a somewhat confusing name.
# It accepts a list of usernames and of group names in standard
# smb.conf notation.

    return "" unless ($SambaDomainMaster eq "yes");

    local %services = ( smb => $smb );

    my $default = "admin";

    my $smbDomainAdminGroup = db_get_prop(\%services, "smb", "DomainAdminGroup") || $default;

    "domain admin group = \@$smbDomainAdminGroup";
}

4. Set the "domain admin group" in the configuration:

[root@sme5 /root]# /sbin/e-smith/config setprop smb DomainAdminGroup admin
-- or --
[root@sme5 /root]# /sbin/e-smith/config setprop smb DomainAdminGroup shared

5. Expand the template:

[root@sme5 /root]# /sbin/e-smith/expand-template /etc/smb.conf

6. Restart samba:

[root@sme5r /root]# /etc/rc.d/init.d/smb restart

Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]


Users will need to log-off client machines and re-log in for these changes to take effect.

[J Price]

Thanks, a lot Greg...this helps.  One more question though...can other domain groups be created besides administrators and can we set unique rights/permissions to each?

-James

[Greg Zartman]

James,

No, not in the current version of Samba.  Samba 2.x only understands the domain users and domain admins groups.

Samba 3.x, currently in alpha/beta, should break this barrier and provide a more transparent "windows" type domain, including active directory support.   No clue as to when Samba 3.x will go production.  It's been in alpha/beta for over a year now.

I've been toying contemplating installing Samba 3.x on a SME test box...  

Greg Zartman

[John Redd]

Greg (or anyone else reading)

Does the below steps work for SME 5.5?  I was setting this up and everything was fine up until expanding the template:

>
> 5. Expand the template:
>
> [root@sme5 /root]# /sbin/e-smith/expand-template /etc/smb.conf
>

When this executed it came back with errors regarding line 13, which is

>
>     return "" unless ($SambaDomainMaster eq "yes");
>

The error had something to do with a variable.  Is the $SambaDomainMaster a valid variable in SME 5.5, and if not, where can it be created so that this solution will work?  Or is it necessary to upgrade to SME 5.6?

Regards

John

[darren]

Has anyone got this working on sme 5.6 yet
how do you fix the SambaDomainMaster problem (i.e see previous post)