Hello

In about a month, I will be upgrading our home computers to windows 2000 (Two desktops, one laptop of mine.) As I understand it, an administrator uses their account as normal, but has administrator privileges. What I also plan to do is set up a Linux box running Samba 2.2.0 offering as much domain functionality as it allows. What I want to do is to have a couple of accounts on the windows 2000 boxes that have administrative privileges. I can also set these up in Samba, but would also like to sync these with standard Linux accounts.

So how is it possible to have two users that have the power of a full administrator in Linux and Samba, so that the domain allows us to have administrative privileges of windows 2000 boxes? I don’t exactly want to have the root account having to be used, as the other administrator (My mother) wants to be able to disable programs of my sister’s when she shouldn’t use them.

I will be using Debian 2.2 and as stated previously, samba 2.2.0.

Any help would be appreciated.

Let me tell you one easy setup. It might not be exactly what you want, but maybe you can think of something better.

On a Samba machine, Samba has its own accounts database, wherein Samba users are mapped onto system users. Usually, Samba user "bob" is mapped onto system user "bob", Samba user "bill" is mapped onto system user "bill", etc.

But it doesn't have to be done this way. Samba user "bob" can be mapped onto system user "root", as can user "bill", and therefore "bob" and "bill" would both have full access through Samba, but neither would actually have a login account on the machine.

*to be continued*

[ 17 June 2001: Message edited by: Craig McPherson ]

I take it that's what you wanted -- both accounts to have admin rights, but not to have root logins on the Linux machine itself. If you DO want that, then just set the uid's of the system accounts on the Linux box to "0", and they'll become root users.

Now, on each of the Windows 2000 machines, you simply need to get the system to join the domain, and then add those user accounts to the Administrators group. Each Windows 2000 machine has a local group called Administrators, and the domain Administrators get full access to the system by being added to the local Administrators group on each machine.

Thanks craig.
However, are there any risks or problems with changing other UIDs to 0 other than root?

Well, you'll effectively have multiple root users on the system: it's the uid 0 that makes a user a Superuser, and not the username "root". Complications:

1. All users with a uid=0 account will have complete Superuser access to the system, and need to understand the implications thereof and the standard "do this / don't do that" stuff.

2. All users with a uid=0 account need to have good passwords. Use pwgen to generate strong random-but-pronouncable passwords. I personally can't pronounce "fathouth" or "kaxithi" or "oholaea", but they're good passwords.

3. "ls -l" will list as files owned by any of those users as being owned by "root". File ownership is recorded by UID, not by username. All files owned by those users will be owned by UID 0, and hence will show as owned by root.