lejeczek
2016-May-19 16:37 UTC
[Samba] linux server a memeber of AD (with use of realm) - and samba?
On 19/05/16 16:49, Rowland penny wrote:> On 19/05/16 15:50, lejeczek wrote: >> fellow users >> >> I'd like to ask is it possible, and if yes what's the >> correct way to configure, to have local samba (where box >> has joined AD with realm) use that memebership in a way >> to have users from AD user catalog. >> I guess what I'm thinking is - how do I get those AD >> users that linux now being a member sees, to samba and >> without windbinding & whole full AD config? Kind of a: >> AD<=linux.SSSD=>linux.samba <= AD users access samba >> >> go easy on me, I've never done samba+AD >> many thanks, >> L. >> >> > > If you want to use Linux + Samba + sssd with an AD domain, > you are asking in the wrong place, try the sssd users > mailing list. > > If however you want to use Samba with an AD domain, see here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > > Rowlandthanks Rowland I'll do, check with sssd poeple, last one - is it possible to join AD samba's way while one has only admin/management control over an OU in AD domain and has NO Domain Admin access? I see realm does it but I wonder if Samba too can do it.> >
Rowland penny
2016-May-19 17:06 UTC
[Samba] linux server a memeber of AD (with use of realm) - and samba?
On 19/05/16 17:37, lejeczek wrote:> > > On 19/05/16 16:49, Rowland penny wrote: >> On 19/05/16 15:50, lejeczek wrote: >>> fellow users >>> >>> I'd like to ask is it possible, and if yes what's the correct way to >>> configure, to have local samba (where box has joined AD with realm) >>> use that memebership in a way to have users from AD user catalog. >>> I guess what I'm thinking is - how do I get those AD users that >>> linux now being a member sees, to samba and without windbinding & >>> whole full AD config? Kind of a: AD<=linux.SSSD=>linux.samba <= AD >>> users access samba >>> >>> go easy on me, I've never done samba+AD >>> many thanks, >>> L. >>> >>> >> >> If you want to use Linux + Samba + sssd with an AD domain, you are >> asking in the wrong place, try the sssd users mailing list. >> >> If however you want to use Samba with an AD domain, see here: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Rowland > thanks Rowland > I'll do, check with sssd poeple, > last one - is it possible to join AD samba's way while one has only > admin/management control over an OU in AD domain and has NO Domain > Admin access? > I see realm does it but I wonder if Samba too can do it. > >Anything is possible I suppose, but why ? If by 'Domain Admin' you mean 'Administrator', you can replace this user, but somebody is going to have to be able to do what 'Administrator' does. How does realm (I think you mean realmd) do this, can you post a link to something that describes how to. Rowland
mathias dufresne
2016-May-23 12:14 UTC
[Samba] linux server a memeber of AD (with use of realm) - and samba?
2016-05-19 19:06 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 19/05/16 17:37, lejeczek wrote: > >> >> >> On 19/05/16 16:49, Rowland penny wrote: >> >>> On 19/05/16 15:50, lejeczek wrote: >>> >>>> fellow users >>>> >>>> I'd like to ask is it possible, and if yes what's the correct way to >>>> configure, to have local samba (where box has joined AD with realm) use >>>> that memebership in a way to have users from AD user catalog. >>>> I guess what I'm thinking is - how do I get those AD users that linux >>>> now being a member sees, to samba and without windbinding & whole full AD >>>> config? Kind of a: AD<=linux.SSSD=>linux.samba <= AD users access samba >>>> >>>> go easy on me, I've never done samba+AD >>>> many thanks, >>>> L. >>>> >>>> >>>> >>> If you want to use Linux + Samba + sssd with an AD domain, you are >>> asking in the wrong place, try the sssd users mailing list. >>> >>> If however you want to use Samba with an AD domain, see here: >>> >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>> >>> Rowland >>> >> thanks Rowland >> I'll do, check with sssd poeple, >> last one - is it possible to join AD samba's way while one has only >> admin/management control over an OU in AD domain and has NO Domain Admin >> access? >> I see realm does it but I wonder if Samba too can do it. >> >> >> > Anything is possible I suppose, but why ? > If by 'Domain Admin' you mean 'Administrator', you can replace this user, > but somebody is going to have to be able to do what 'Administrator' does. > > What OP is searching is "delegation".In AD we can delegate rights to some users or groups. Generally groups receive delegation and users are put into these groups. "Domain admins" is a group, it contains by default only one users, named "administrator". "Domain admins" group give the most powerful role an AD can give to a user. The "Domain admins" role is a bunch a of roles, in fact it is almost all roles available into AD grouped into one role. The possibility to join members to AD domain is one role among all others. Delegation is meant to avoid to give "Domain admins" role to anybody. Delegation is meant to allow some groups to do some tasks, but not all tasks. Delegation is complex as there are lot of roles into AD. Fortunately it is also well documented for most of standard delegations as delegating the possibility to join members or the possibility to modify accounts, these are standard tasks for L1 people. I didn't managed the delegation to join computers to our domain, a colleague did. The tools he used: - redircmp: change the default container where joined computers are stored. - netdom: join a machine to the domain using command line and specifying the destination OU. Our full solution is: - delegation: several OU to store computers. For each of these OU we delegate role to join a computer to only one group (one OU = one group). - users in these groups will use "netdom" to join computer to our domain. They will specify one command line the destination OU. Here two cases: - the specified OU is the one they get delegation => they can join the computer in that OU - the specified OU is NOT the one they get delegation => they can't write here so AD will refuse the join. Hoping this could help> How does realm (I think you mean realmd) do this, can you post a link to > something that describes how to. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >