samba - Sep 2013 - How to allow users to be local admin

Hi,

it's some time that I had to touch our samba installation and may be
somewon can point me to the right direction.

We run a samba-3.6.9 PDC with ldap backend and windows 7 clients.
Everything for normal users is working fine (domain logon, roaming
profiles).

But now we'd like to enable our systemadministartors to login to any
workstation with there domain user and install software or do other
administrative things.

I'v read a bit about domian accounts and mappings. But I'm not sure
where to add or change what.

The admins affected are also in a special posix group.

There are also "Domain Admins" and "Administrators" posix
groups and net
groupmap entries.

Would be great if some one can help me.

	Thanks and regards . G?tz

-- 
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 82 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg

Gesch?ftsf?hrer: Prof. Thomas Schadt

Hello G?tz,

Am 02.09.2013 14:43, schrieb G?tz Reinicke - IT
Koordinator:
> it's some time that I had to touch our samba installation and may be
> somewon can point me to the right direction.
>
> We run a samba-3.6.9 PDC with ldap backend and windows 7 clients.
> Everything for normal users is working fine (domain logon, roaming
> profiles).
>
> But now we'd like to enable our systemadministartors to login to any
> workstation with there domain user and install software or do other
> administrative things.
>
> I'v read a bit about domian accounts and mappings. But I'm not sure
> where to add or change what.
>
> The admins affected are also in a special posix group.
>
> There are also "Domain Admins" and "Administrators"
posix groups and net
> groupmap entries.
>
> Would be great if some one can help me.
I'm not sure if this is possible with an NT4-style domain. With (Samba) 
AD it is, if you plan to migrate. Then you can use "restricted groups"
for that 
(http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain).

I don't know how many clients you have. If it's a manageable size, you 
can create a group in your domain, go to each workstation and add this 
domain group to the local administrators group once. Then everyone who 
is member of that domain group is automatically local admin on each of 
that machines (this is what you do with the "restricted group" in AD
in
2 mins, without leaving your desk). You only have to add this domain 
group on every PC you reinstall.

But if it's a possibility, migrate to Samba AD. AD brings you many great 
features, expecially GPO, multi master replication, etc.


Regards,
Marc