John R. Graham
2025-Feb-14 17:14 UTC
[Samba] Reported group membership is different between domain member and Samba ADC
On 2/14/25 11:22, Rowland Penny via samba wrote:> Well yes, you can do it that way, but there is an easier way. > There is a group in AD called 'Domain Admins' > Add any AD users that you want to be domain administrators to that > group, then, using visudo add this line to the sudo config: > > %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL > > Where 'SAMDOM' is your NetBIOS domain name. > > Check that your users are members of Domain Admins, you can do this > with 'getent group domain\ admins' > > Now when they log in your domain administrators will be able to use > sudo. > > For extra brownie points, you could store the sudo rules in AD ;-) > > Rowland >As it turns out, I still have the same issue: ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham ??? Added members to group Domain Admins ??? dc1 ~ # net cache flush ??? dc1 ~ # samba-tool group listmembers 'domain admins' ??? jgraham ??? Administrator And yet: ??? dc1 ~ # id HOME\\jgraham ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users) and also, logged in as me instead of root: ??? SAMDOM\jgraham at dc1 ~ $ getent group domain\ admins ??? SAMDOM\domain admins:x:3000000: So, for an undiagnosed reason, the effective domain membership does not include "domain admins" either. - John
Rowland Penny
2025-Feb-14 20:01 UTC
[Samba] Reported group membership is different between domain member and Samba ADC
On Fri, 14 Feb 2025 12:14:18 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> On 2/14/25 11:22, Rowland Penny via samba wrote: > > Well yes, you can do it that way, but there is an easier way. > > There is a group in AD called 'Domain Admins' > > Add any AD users that you want to be domain administrators to that > > group, then, using visudo add this line to the sudo config: > > > > %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL > > > > Where 'SAMDOM' is your NetBIOS domain name. > > > > Check that your users are members of Domain Admins, you can do this > > with 'getent group domain\ admins' > > > > Now when they log in your domain administrators will be able to use > > sudo. > > > > For extra brownie points, you could store the sudo rules in AD ;-) > > > > Rowland > > > As it turns out, I still have the same issue: > > ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham > ??? Added members to group Domain Admins > ??? dc1 ~ # net cache flush > ??? dc1 ~ # samba-tool group listmembers 'domain admins' > ??? jgraham > ??? Administrator > > And yet: > > ??? dc1 ~ # id HOME\\jgraham > ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) > groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users) > > and also, logged in as me instead of root: > > ??? SAMDOM\jgraham at dc1 ~ $ getent group domain\ admins > ??? SAMDOM\domain admins:x:3000000: > > So, for an undiagnosed reason, the effective domain membership does > not include "domain admins" either. > > - JohnOK, I will diagnose it ;-) open a terminal on the DC, enter 'man smb.conf', press enter and then go to 'winbind expand groups', read that, it will explain why you are not getting any group members. Rowland
Possibly Parallel Threads
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC