[Samba] Local Administrators (group) and delegation in AD
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 29 08:52:00 UTC 2015
On 29/10/15 08:34, Davor Vusir wrote:
> Hi all!
>
> We have got many delegations in our AD. To add a certain administrator
> group to the local Administrators group you can use GPO for
> Windowsservers. As Samba does not understand GPO I have initially used
> the "username map" feature to add a domain account to become root.
> After the appropriate group is added via Computer Management MMC by
> the delegated administrator, the line "username map" is commented and
> Samba is restarted. After this procedure the delegated administrators
> have got proper access to the server. Not using this feature of course
> renders access denied error when attempting to add an AD-group to the
> local Administrators group.
>
> If Winbind is disabled you get the well known SID in members list in
> the properties dialog for the local Administrators group instead of
> the human readable names (AD\Domain Admins...).
>
> We are using SSSD to retrieve user- and groupinfo from AD, therefore
> is the AD-backend commented in smb.conf.
>
> Do you know of another way of doing this?
>
> Regards
> Davor vusir
>
> Relevant part of smb.conf:
> # username map = /etc/samba/usermap
>
> idmap config *:backend = tdb
> idmap config *:range = 2200000001-2200100000
> # idmap config AD:backend = ad
> # idmap config AD:schema_mode = rfc2307
> # idmap config AD:range = 1000-2200000000
> # winbind nss info = rfc2307
>
>
> Relevant part of nsswitch.conf:
> passwd: files sss winbind
> shadow: files
> group: files sss winbind
>
>
>
So, you are having problems by not using winbind and you are asking for
help with sssd on a samba mailing list, I can think of ways around this,
but they involve not using sssd. You may get help with this on the sssd
mailing list.
Rowland
More information about the samba-technical
mailing list