Davor Vusir
2015-Oct-29  08:34 UTC
[Samba] Local Administrators (group) and delegation in AD
Hi all! We have got many delegations in our AD. To add a certain administrator group to the local Administrators group you can use GPO for Windowsservers. As Samba does not understand GPO I have initially used the "username map" feature to add a domain account to become root. After the appropriate group is added via Computer Management MMC by the delegated administrator, the line "username map" is commented and Samba is restarted. After this procedure the delegated administrators have got proper access to the server. Not using this feature of course renders access denied error when attempting to add an AD-group to the local Administrators group. If Winbind is disabled you get the well known SID in members list in the properties dialog for the local Administrators group instead of the human readable names (AD\Domain Admins...). We are using SSSD to retrieve user- and groupinfo from AD, therefore is the AD-backend commented in smb.conf. Do you know of another way of doing this? Regards Davor vusir Relevant part of smb.conf: # username map = /etc/samba/usermap idmap config *:backend = tdb idmap config *:range = 2200000001-2200100000 # idmap config AD:backend = ad # idmap config AD:schema_mode = rfc2307 # idmap config AD:range = 1000-2200000000 # winbind nss info = rfc2307 Relevant part of nsswitch.conf: passwd: files sss winbind shadow: files group: files sss winbind
Rowland Penny
2015-Oct-29  08:52 UTC
[Samba] Local Administrators (group) and delegation in AD
On 29/10/15 08:34, Davor Vusir wrote:> Hi all! > > We have got many delegations in our AD. To add a certain administrator > group to the local Administrators group you can use GPO for > Windowsservers. As Samba does not understand GPO I have initially used > the "username map" feature to add a domain account to become root. > After the appropriate group is added via Computer Management MMC by > the delegated administrator, the line "username map" is commented and > Samba is restarted. After this procedure the delegated administrators > have got proper access to the server. Not using this feature of course > renders access denied error when attempting to add an AD-group to the > local Administrators group. > > If Winbind is disabled you get the well known SID in members list in > the properties dialog for the local Administrators group instead of > the human readable names (AD\Domain Admins...). > > We are using SSSD to retrieve user- and groupinfo from AD, therefore > is the AD-backend commented in smb.conf. > > Do you know of another way of doing this? > > Regards > Davor vusir > > Relevant part of smb.conf: > # username map = /etc/samba/usermap > > idmap config *:backend = tdb > idmap config *:range = 2200000001-2200100000 > # idmap config AD:backend = ad > # idmap config AD:schema_mode = rfc2307 > # idmap config AD:range = 1000-2200000000 > # winbind nss info = rfc2307 > > > Relevant part of nsswitch.conf: > passwd: files sss winbind > shadow: files > group: files sss winbind > > >So, you are having problems by not using winbind and you are asking for help with sssd on a samba mailing list, I can think of ways around this, but they involve not using sssd. You may get help with this on the sssd mailing list. Rowland
Davor Vusir
2015-Oct-29  09:47 UTC
[Samba] Local Administrators (group) and delegation in AD
On 2015-10-29 09:52, Rowland Penny wrote:> On 29/10/15 08:34, Davor Vusir wrote: >> Hi all! >> >> We have got many delegations in our AD. To add a certain >> administrator group to the local Administrators group you can use GPO >> for Windowsservers. As Samba does not understand GPO I have initially >> used the "username map" feature to add a domain account to become >> root. After the appropriate group is added via Computer Management >> MMC by the delegated administrator, the line "username map" is >> commented and Samba is restarted. After this procedure the delegated >> administrators have got proper access to the server. Not using this >> feature of course renders access denied error when attempting to add >> an AD-group to the local Administrators group. >> >> If Winbind is disabled you get the well known SID in members list in >> the properties dialog for the local Administrators group instead of >> the human readable names (AD\Domain Admins...). >> >> We are using SSSD to retrieve user- and groupinfo from AD, therefore >> is the AD-backend commented in smb.conf. >> >> Do you know of another way of doing this? >> >> Regards >> Davor vusir >> >> Relevant part of smb.conf: >> # username map = /etc/samba/usermap >> >> idmap config *:backend = tdb >> idmap config *:range = 2200000001-2200100000 >> # idmap config AD:backend = ad >> # idmap config AD:schema_mode = rfc2307 >> # idmap config AD:range = 1000-2200000000 >> # winbind nss info = rfc2307 >> >> >> Relevant part of nsswitch.conf: >> passwd: files sss winbind >> shadow: files >> group: files sss winbind >> >> >> > > So, you are having problems by not using winbind and you are asking > for help with sssd on a samba mailing list, I can think of ways around > this, but they involve not using sssd. You may get help with this on > the sssd mailing list. > > Rowland > >No, Rowland. I'm not asking for help with SSSD. It's working quite fine. And so is winbind. And both are running fine together. I'm asking if there is another way of delegating administrator access to a Sambaserver. A more elegant way than what I have described. I would be grateful if you could share your thoughts. /Davor