Rowland Penny
2015-Nov-03  08:48 UTC
[Samba] Local Administrators (group) and delegation in AD
On 03/11/15 08:10, Davor Vusir wrote:> > > No, Davor. That won't work. The delegated user account is not member > of 'AD\Domain Admins' which is member of the group > 'SERVER\Administrators'. You have to use the username map to be able > to add the first AD-group or account to 'SERVER\Administrators'. >No, Davor, you don't have to use a username map, as long as you have samba-tool on your client (which means it has to be a Unix client). samba-tool group addmembers Domain\ Admins testunixgroup -H ldap://192.168.0.2 -UAdministrator 192.168.0.2 is the DC Rowland
mathias dufresne
2015-Nov-04  15:09 UTC
[Samba] Local Administrators (group) and delegation in AD
As Davor wants to delegate I expect he does not want to give Administrator password to these persons ;) And using a keytab to avoid giving them the password is not a solution: they would be able to perform everything they want on samba, which is certainly far from the delegation he initially thought... 2015-11-03 9:48 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 03/11/15 08:10, Davor Vusir wrote: > >> >> >> No, Davor. That won't work. The delegated user account is not member of >> 'AD\Domain Admins' which is member of the group 'SERVER\Administrators'. >> You have to use the username map to be able to add the first AD-group or >> account to 'SERVER\Administrators'. >> >> > No, Davor, you don't have to use a username map, as long as you have > samba-tool on your client (which means it has to be a Unix client). > > samba-tool group addmembers Domain\ Admins testunixgroup -H ldap:// > 192.168.0.2 -UAdministrator > > 192.168.0.2 is the DC > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Nov-04  15:49 UTC
[Samba] Local Administrators (group) and delegation in AD
On 04/11/15 15:09, mathias dufresne wrote:> As Davor wants to delegate I expect he does not want to give> Administrator password to these persons ;) And using a keytab to > avoid giving them the password is not a solution: they would be able > to perform everything they want on samba, which is certainly far from > the delegation he initially thought... Ah, what I posted was the same as what Davor posted, just doing it another way. If you run the command on the DC as root, you don't need the '-UAdministrator' part. It just adds the group 'Domain Admins' to the group 'Administrators' Also, if I remember correctly, you still need the Administrator password if you do it Davor's way. Rowland