[Samba] Local Administrators (group) and delegation in AD
mathias dufresne
infractory at gmail.com
Thu Oct 29 11:05:07 UTC 2015
Hi Davor,
If I've well understood you want some AD users to be local administrators
of some UNIX machines, not necessary all your UNIX machines.
I would give these users uidNumber=0 and/or gidNumber=0. In UNIX systems
you can rename "root" as long as you keep for him UID=0. You can also have
several users sharing same UID and/or GID.
So, let's say now you have 10 users with uidNumber=0. They are valid users
in AD and valid users in UNIX context. So you have 10 new root accounts
able to connect on every UNIX boxes.
I don't know much SSSD but I expect you can define restriction about who
can connect on a given system. Playing with local sssd.conf to refuse login
for users in some group or accepting only connection if user is in some
other group. It seems "ad_access_filter" option is the one to do that, this
option is described in sssd-ad man page.
Doing that you will nominative root accounts in AD and filters to avoid all
your admins can log on all UNIX machines.
Now perhaps I haven't understand your need.
2015-10-29 10:47 GMT+01:00 Davor Vusir <davortvusir at gmail.com>:
> On 2015-10-29 09:52, Rowland Penny wrote:
>
>> On 29/10/15 08:34, Davor Vusir wrote:
>>
>>> Hi all!
>>>
>>> We have got many delegations in our AD. To add a certain administrator
>>> group to the local Administrators group you can use GPO for Windowsservers.
>>> As Samba does not understand GPO I have initially used the "username map"
>>> feature to add a domain account to become root. After the appropriate group
>>> is added via Computer Management MMC by the delegated administrator, the
>>> line "username map" is commented and Samba is restarted. After this
>>> procedure the delegated administrators have got proper access to the
>>> server. Not using this feature of course renders access denied error when
>>> attempting to add an AD-group to the local Administrators group.
>>>
>>> If Winbind is disabled you get the well known SID in members list in the
>>> properties dialog for the local Administrators group instead of the human
>>> readable names (AD\Domain Admins...).
>>>
>>> We are using SSSD to retrieve user- and groupinfo from AD, therefore is
>>> the AD-backend commented in smb.conf.
>>>
>>> Do you know of another way of doing this?
>>>
>>> Regards
>>> Davor vusir
>>>
>>> Relevant part of smb.conf:
>>> # username map = /etc/samba/usermap
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2200000001-2200100000
>>> # idmap config AD:backend = ad
>>> # idmap config AD:schema_mode = rfc2307
>>> # idmap config AD:range = 1000-2200000000
>>> # winbind nss info = rfc2307
>>>
>>>
>>> Relevant part of nsswitch.conf:
>>> passwd: files sss winbind
>>> shadow: files
>>> group: files sss winbind
>>>
>>>
>>>
>>>
>> So, you are having problems by not using winbind and you are asking for
>> help with sssd on a samba mailing list, I can think of ways around this,
>> but they involve not using sssd. You may get help with this on the sssd
>> mailing list.
>>
>> Rowland
>>
>>
>> No, Rowland. I'm not asking for help with SSSD. It's working quite fine.
> And so is winbind. And both are running fine together. I'm asking if there
> is another way of delegating administrator access to a Sambaserver. A more
> elegant way than what I have described.
>
> I would be grateful if you could share your thoughts.
>
> /Davor
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list