[opensuse] Security with SAMBA as PDC ?
Hi, to use SAMBA as PDC for a Windows-Domain it needs an administrative user on the server to create machine- and user-accounts for the clients. Obviously root could do this. Here is the issue that the on site maintenance of client pcs and users is done by an assistant who shouldn't get access to everything on the file server. So I can't give him root credentials or even let him execute passwd. Even if I prepared some user- and machine- accounts he still needs the administrative user to le those client-pcs join the domain. How can I have cake and eat it? Regards Andreas PS.: OpenSuse 10.3, Windows 2000 und Windows XP Clients. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Jun 11, 2008 at 6:39 PM, Andreas <maps.on@gmx.net> wrote:
Hi,
to use SAMBA as PDC for a Windows-Domain it needs an administrative user on the server to create machine- and user-accounts for the clients. Obviously root could do this.
Here is the issue that the on site maintenance of client pcs and users is done by an assistant who shouldn't get access to everything on the file server. So I can't give him root credentials or even let him execute passwd.
Even if I prepared some user- and machine- accounts he still needs the administrative user to le those client-pcs join the domain.
How can I have cake and eat it?
I don't have any experience with Linux PDCs. But I would try joining the server to the domain, force users to log on to the domain to log on to the server, and making your assistant a domain admin. Why is it important that he can't use passwd? Also do you have ACLs turned on? They may help you fine tune what you want. See: How to share directories between groups of users using ACL http://en.opensuse.org/How_to_share_directories_between_groups_of_users_usin... That should give you some clues. But it is not directly related. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michael Mientus wrote:
I don't have any experience with Linux PDCs. But I would try joining the server to the domain, force users to log on to the domain to log on to the server, and making your assistant a domain admin.
The server "is" the domain, I thought. There is just this box and some clients. Thanks Mike, first of all, I was wrong where I thought the assistant needed to be in the root group to join clients to the domain even when the machine-account allready exists. In this case it's enough to be admin user within samba but remain unpriviledged unix user. To create new machine- or domain-user accounts on the host he would have to run adduser, which is AFAIK restricted for root-users. I'm still getting used to this domin topic so I have to learn a lot. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Jun 12, 2008 at 3:17 PM, Andreas <maps.on@gmx.net> wrote:
The server "is" the domain, I thought. There is just this box and some clients.
In Windows that would be true. But I don't think it is necessarily true in Linux.
first of all, I was wrong where I thought the assistant needed to be in the root group to join clients to the domain even when the machine-account allready exists. In this case it's enough to be admin user within samba but remain unpriviledged unix user. To create new machine- or domain-user accounts on the host he would have to run adduser, which is AFAIK restricted for root-users.
An inelegant solution would be to change the ownership and permissions on that command. However, that will probably open up security holes. For an elegant solution you might want to try the networking list: opensuse-networking@opensuse.org Even if I didn't get an answer there I would keep looking. This seems like it would be a common problem. And there must be a common answer. You might try looking at solutions intended for Fedora users. Just keep in mind that Fedora has to deal with SELinux. And it has its own X.500 implementation: FedoraDS.
Thanks Mike,
You are welcome. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Andreas schreef:
Hi,
to use SAMBA as PDC for a Windows-Domain it needs an administrative user on the server to create machine- and user-accounts for the clients. Obviously root could do this.
Here is the issue that the on site maintenance of client pcs and users is done by an assistant who shouldn't get access to everything on the file server. So I can't give him root credentials or even let him execute passwd.
Even if I prepared some user- and machine- accounts he still needs the administrative user to le those client-pcs join the domain.
How can I have cake and eat it?
Regards Andreas
PS.: OpenSuse 10.3, Windows 2000 und Windows XP Clients.
You should set up Samba to be able to use Windows' "UserManager for Domains" to manage your users. A starting point is : http://nl2.samba.org/samba/docs/man/Samba-Guide/secure.html Scroll down to "Samba Configuration". In smb.conf study the "add user script", and the following lines. Then study paragraph 5, the script to map NT groups to unix groups. If set up good, you should be able to give your assistant rights to add machines and users, without giving him rights on the Samba-server. He would be member of the "Domain Admins" group, or rather he should have a separate account which is member of the "Domain Admins" group. Don't make his "normal" account member of the "Domain Admins" group. HTH, Koenraad Lelong. P.S. the Windows 2000 version of "UserManager for Domains" (Nexus) does not work on XP ! Search for the resource kit which contains the UserManager. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Andreas -
Koenraad Lelong -
Michael Mientus