[Samba] Local Administrators (group) and delegation in AD
Davor Vusir
davortvusir at gmail.com
Thu Oct 29 08:34:55 UTC 2015
Hi all!
We have got many delegations in our AD. To add a certain administrator
group to the local Administrators group you can use GPO for
Windowsservers. As Samba does not understand GPO I have initially used
the "username map" feature to add a domain account to become root. After
the appropriate group is added via Computer Management MMC by the
delegated administrator, the line "username map" is commented and Samba
is restarted. After this procedure the delegated administrators have got
proper access to the server. Not using this feature of course renders
access denied error when attempting to add an AD-group to the local
Administrators group.
If Winbind is disabled you get the well known SID in members list in the
properties dialog for the local Administrators group instead of the
human readable names (AD\Domain Admins...).
We are using SSSD to retrieve user- and groupinfo from AD, therefore is
the AD-backend commented in smb.conf.
Do you know of another way of doing this?
Regards
Davor vusir
Relevant part of smb.conf:
# username map = /etc/samba/usermap
idmap config *:backend = tdb
idmap config *:range = 2200000001-2200100000
# idmap config AD:backend = ad
# idmap config AD:schema_mode = rfc2307
# idmap config AD:range = 1000-2200000000
# winbind nss info = rfc2307
Relevant part of nsswitch.conf:
passwd: files sss winbind
shadow: files
group: files sss winbind
More information about the samba
mailing list