[Samba] Samba PDC + LDAP: adding user to local admin group

Gustavo Michels gustavo.michels at gmail.com
Thu Oct 9 20:27:18 GMT 2008

Hi all,

I'm evaluating Zimbra [1] as the groupware server for my small company. It
uses OpenLDAP for authentication services and I'm configuring a Samba server
as a PDC for my company, using the same ldap backend.

So far, so good, everything is working beautifully well, I can add computers
to the domain, login from any workstation, access shares with the
appropriate rights and so on. However there's one last thing I need: some
normal domain users need administrative rights on their local machines.

I know I can go into each workstation and add the user to local
administrators group, however that's not the right way to do it. Can I have
it set on the domain level, so that if the user login on any workstation, he
will be granted the correct local admin rights on that workstation?

Here's what I tried, user 'producao' (id=10003) and group 'Local Admins'

# net groupmap list
Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> Financeiro
Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> Local Admins

Here you can see that 'Local Admins' has the correct RID (544).

# getent group |grep Admin
Local Admins:*:10005:10003

# getent passwd |grep producao

User 'producao' is a member of 'Local Admins' group (secondary, since I read
that BUILTIN groups cannot be a primary group for a user in a windows NT4

# /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech "cn=Local
# extended LDIF
# LDAPv3
# base <> with scope subtree
# filter: cn=Local Admins
# requesting: ALL

# Local Admins, groups, colortechdp.com.br
dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
gidNumber: 10005
displayName: Local Admins
sambaGroupType: 5
description: Local Admins
cn: Local Admins
sambaSID: S-1-5-21-594618841-1354246140-1601124177-544
memberUid: 10003
objectClass: posixGroup
objectClass: sambaGroupMapping

And the information on the LDAP server seems to be correct, including the
sambaGroupType property set to 5, instead of 2.

So, what is wrong in here? Or it isn't possible to do it in the domain


[1] http://www.zimbra.com

More information about the samba mailing list