Topic: SAMBA and permissions

[daniel]

I'm attempting to move my long standing very low maintenance Novell Server over to the SME server.  SME is doing everything the Novell did except for file sharing (last thing to move).  In my tests with using the SME as a domain controller and in using roaming profiles, I have discovered that a regular SME user (ie not a Domain Admins group user) doesn't have authorization to load up software or install updates on the PC that has joined a domain.  I'm assuming this is because they are being equated to a user group of permissions instead of a power user group of permissions.  I've already setup file acls with the fstab change, and testing shows file and directory permissions can be properly assigned to network shares.

I know I will be pushing the limits of the standard install but is there any good reading material, books or self study guides I can purchase to understand samba v3 better so I can fix my issues and make SME server a good, secure, replacement for my Netware 6.5? 

Rather than posting each time I have an issue with samba setup, I'd prefer getting the resources and reference material where I can study and solve my own problems and be an expert for others in the forum as a way to give back to the SME community.

Any thoughts are appreciated.

[kevinb]

Hello Daniel,

It sounds like you may be new to Windows Domain adminsitration. No Problem. SME replicates the Windows NT domain control. By default new users are all "standard" users with no admin rights. To give them admin rights you can do one of two things.

On their local box add them as a local user (you should be able to pick from a list of domain users) and add them to the local "administrator" group. This gives them "admin" rights on that box only.

You can also create a group in SME and in the description use "Domain Admins". Windows will pick up on this and give them full admin rights on any box they log into on the domain.

You can expand the group contol by creating more groups and using the Windows special group names in the group description. Here is a brief list:


System Operators: ?

Domain Admins:
A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.   Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Replicators:
Windows NT domains, this group is called Replicators and is used by the directory replication service. In 2K/XP the group is present but is not used.
This group supports directory replication functions and is used by the File Replication service on domain controllers in the domain. This group has no default members. Do not add users to this group.   No default user rights.

Guests:
A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
By default, the Domain Guests group is a member of this group. The Guest account (which is disabled by default) is also a default member of this group.   No default user rights.

Domain Guests:
A global group that, by default, has only one member, the domain's built-in Guest account.
This group contains all domain guests.   No default user rights.

Local Administrator: ?

Power Users:
A built-in group. By default, the group has no members. This group does not exist on domain controllers. Power Users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power Users also can install most applications; create, manage, and delete local printers; and create and delete file shares.
Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs.   Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; Shut down the system.

Domain Users:
A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.
This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).   No default user rights.

Print Operators:
A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Members of this group can manage, create, share, and delete printers connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can log on locally to domain controllers in the domain and shut them down. This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution.   Allow log on locally; Shut down the system.

Administrators:
A built-in group . After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group.
Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.   Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects

Account Operators:
A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.   Allow log on locally; Shut down the system.

Backup Operators:
A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Members of this group can back up and restore all files on domain controllers in the domain, regardless of their own individual permissions on those files. Backup Operators can also log on to domain controllers and shut them down. This group has no default members. Because this group has significant power on domain controllers, add users with caution.   Back up files and directories; Allow log on locally; Restore files and directories; Shut down the system.

[Jáder]

Hi

May I ask you to put all this knowledge here: http://wiki.contribs.org/Windows_Integration
I think would be easier to find AND have a nice looking

If you have another tricks about this subject, do not be shy!

Thanks

Jáder

[cactus]

You can expand the group contol by creating more groups and using the Windows special group names in the group description. Here is a brief list:

Unfortunately you are wrong only a small subset can be enforced by the domain master in Windows (not only NT4) domains by default:

• Domain Admins
• Domain Users
• Domain Guests

The official page from Microsoft Technet (http://technet.microsoft.com/en-us/library/bb726982.aspx) or a more readable page (http://www.comptechdoc.org/os/windows/ntserverguide/ntsgroups.html)

[kevinb]

Unfortunately you are wrong

Well jader now you know why I did not put it in the Wiki (I have to get signed up too). 

So the domain groups in Windows NT domains are:

NT Domain Global Groups

Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account.
Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests.
Domain Guests - Contains the domain Guest account.

Thanks cactus (if that's your real name!)

[cactus]

Thanks cactus (if that's your real name!)

Nope, but you may thank me anyway!

[p-jones]

Is this a dumb question ? How do I add a group "domain admins" and have the same functionality as the MS equivalent when SME does not allow the use of spaces in a group name ? Maybe I have missed something important here

[Jáder]

Yes , you missed.
You can name the group anyway... just his description MUST be "Domain Admins". Please note the EXACT case of description or it will not work.

Jáder

[p-jones]

Ooops, my bad. Thanks for setting me straight.

[daniel]

Thanks to everyone for their comments and links.  I have used the Domain Admins group for a year or more so that I understood.  The comments have filled in the missing pieces of why Samba works  the way it does in regards to Domains.  I now have a few things to test out as a work around to the problem I was having.

I didn't see anyone recommending any good Samba reference materials.  I've seen a few on Amazon, guess I'll buy and read to see if they are worth anything, who knows, maybe I'll get a great education for $80.00.  I've certainly received a good education in the forums   

Happy Holidays everyone.

[cactus]

Is this a dumb question ?

No there are no dumb questions... only dumb answers.

[kevinb]

No there are no dumb questions... only dumb answers.

Isn't that the dumbest thing you've ever heard?

[Boris]

No there are no dumb questions... only dumb answers.

Isn't that the dumbest thing you've ever heard?

Evidently, there are dumb questions as well 

[Elliott]

I didn't see anyone recommending any good Samba reference materials.  I've seen a few on Amazon, guess I'll buy and read to see if they are worth anything, who knows, maybe I'll get a great education for $80.00.

I've enjoyed the tidbits that I've picked up in O Reilly's "Using Samba", Third Ed.