samba - Oct 2008 - Samba PDC + LDAP: adding user to local admin group

Hi all,

I'm evaluating Zimbra [1] as the groupware server for my small company. It
uses OpenLDAP for authentication services and I'm configuring a Samba server
as a PDC for my company, using the same ldap backend.

So far, so good, everything is working beautifully well, I can add computers
to the domain, login from any workstation, access shares with the
appropriate rights and so on. However there's one last thing I need: some
normal domain users need administrative rights on their local machines.

I know I can go into each workstation and add the user to local
administrators group, however that's not the right way to do it. Can I have
it set on the domain level, so that if the user login on any workstation, he
will be granted the correct local admin rights on that workstation?

Here's what I tried, user 'producao' (id=10003) and group 'Local
Admins'
(id=10005):

# net groupmap list
Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
Produ??o (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> Financeiro
Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> Local Admins

Here you can see that 'Local Admins' has the correct RID (544).

# getent group |grep Admin
Admins:*:10002:
Local Admins:*:10005:10003

# getent passwd |grep producao
producao:*:10003:10003:Produ??o
Colortech:/colortech/homes/producao:/bin/false

User 'producao' is a member of 'Local Admins' group (secondary,
since I read
that BUILTIN groups cannot be a primary group for a user in a windows NT4
domain).

# /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech "cn=Local
Admins"
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=Local Admins
# requesting: ALL
#

# Local Admins, groups, colortechdp.com.br
dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
gidNumber: 10005
displayName: Local Admins
sambaGroupType: 5
description: Local Admins
cn: Local Admins
sambaSID: S-1-5-21-594618841-1354246140-1601124177-544
memberUid: 10003
objectClass: posixGroup
objectClass: sambaGroupMapping

And the information on the LDAP server seems to be correct, including the
sambaGroupType property set to 5, instead of 2.

So, what is wrong in here? Or it isn't possible to do it in the domain
level?

Thanks
Gustavo

[1] http://www.zimbra.com

Gustavo Michels wrote:
> So, what is wrong in here? Or it isn't possible to do it in the domain
> level?
Not sure if you can do it like that, but if you only want to give them 
local admin on their own computer (and not everyone else's), you're 
going to want to do it on each computer manually anyway... Or via a 
script if you're going to have to change them often.
If you set it at a domain level like you said, it would give them admin 
rights anywhere they can log into.

TB

hmmm giving users local admin rights, thats not the way to do it.
and makes your network insecure.. 
Better control this through de domain groups.

this is how i do it. 

i create a domain groep, add the users in it, and through loginscript
i create a local group and add the domain group in it.
now on directories/files or in registry i give the local group the needed
rights.

Louis


 
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens 
>Gustavo Michels
>Verzonden: donderdag 9 oktober 2008 22:27
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group
>
>Hi all,
>
>I'm evaluating Zimbra [1] as the groupware server for my small 
>company. It
>uses OpenLDAP for authentication services and I'm configuring 
>a Samba server
>as a PDC for my company, using the same ldap backend.
>
>So far, so good, everything is working beautifully well, I can 
>add computers
>to the domain, login from any workstation, access shares with the
>appropriate rights and so on. However there's one last thing I 
>need: some
>normal domain users need administrative rights on their local machines.
>
>I know I can go into each workstation and add the user to local
>administrators group, however that's not the right way to do 
>it. Can I have
>it set on the domain level, so that if the user login on any 
>workstation, he
>will be granted the correct local admin rights on that workstation?
>
>Here's what I tried, user 'producao' (id=10003) and group 
>'Local Admins'
>(id=10005):
>
># net groupmap list
>Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
>Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
>Produ??o (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
>Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> 
>Financeiro
>Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> 
>Local Admins
>
>Here you can see that 'Local Admins' has the correct RID (544).
>
># getent group |grep Admin
>Admins:*:10002:
>Local Admins:*:10005:10003
>
># getent passwd |grep producao
>producao:*:10003:10003:Produ??o
>Colortech:/colortech/homes/producao:/bin/false
>
>User 'producao' is a member of 'Local Admins' group 
>(secondary, since I read
>that BUILTIN groups cannot be a primary group for a user in a 
>windows NT4
>domain).
>
># /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech 
>"cn=Local
>Admins"
># extended LDIF
>#
># LDAPv3
># base <> with scope subtree
># filter: cn=Local Admins
># requesting: ALL
>#
>
># Local Admins, groups, colortechdp.com.br
>dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
>gidNumber: 10005
>displayName: Local Admins
>sambaGroupType: 5
>description: Local Admins
>cn: Local Admins
>sambaSID: S-1-5-21-594618841-1354246140-1601124177-544
>memberUid: 10003
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>
>And the information on the LDAP server seems to be correct, 
>including the
>sambaGroupType property set to 5, instead of 2.
>
>So, what is wrong in here? Or it isn't possible to do it in the domain
>level?
>
>Thanks
>Gustavo
>
>[1] http://www.zimbra.com
>