[Samba] Local Administrators (group) and delegation in AD

[Rowland Penny]

On 29/10/15 08:34, Davor Vusir wrote:
> Hi all!
>
> We have got many delegations in our AD. To add a certain administrator 
> group to the local Administrators group you can use GPO for 
> Windowsservers. As Samba does not understand GPO I have initially used 
> the "username map" feature to add a domain account to become root. 
> After the appropriate group is added via Computer Management MMC by 
> the delegated administrator, the line "username map" is commented and 
> Samba is restarted. After this procedure the delegated administrators 
> have got proper access to the server. Not using this feature of course 
> renders access denied error when attempting to add an AD-group to the 
> local Administrators group.
>
> If Winbind is disabled you get the well known SID in members list in 
> the properties dialog for the local Administrators group instead of 
> the human readable names (AD\Domain Admins...).
>
> We are using SSSD to retrieve user- and groupinfo from AD, therefore 
> is the AD-backend commented in smb.conf.
>
> Do you know of another way of doing this?
>
> Regards
> Davor vusir
>
> Relevant part of smb.conf:
> #  username map = /etc/samba/usermap
>
> idmap config *:backend = tdb
>   idmap config *:range = 2200000001-2200100000
> #  idmap config AD:backend = ad
> #  idmap config AD:schema_mode = rfc2307
> #  idmap config AD:range = 1000-2200000000
> #  winbind nss info = rfc2307
>
>
> Relevant part of nsswitch.conf:
> passwd:     files sss winbind
> shadow:     files
> group:      files sss winbind
>
>
>

So, you are having problems by not using winbind and you are asking for 
help with sssd on a samba mailing list, I can think of ways around this, 
but they involve not using sssd. You may get help with this on the sssd 
mailing list.

Rowland