[Samba] Samba PDC + LDAP: adding user to local admin group
gustavo.michels at gmail.com
Thu Oct 9 20:27:18 GMT 2008
I'm evaluating Zimbra  as the groupware server for my small company. It
uses OpenLDAP for authentication services and I'm configuring a Samba server
as a PDC for my company, using the same ldap backend.
So far, so good, everything is working beautifully well, I can add computers
to the domain, login from any workstation, access shares with the
appropriate rights and so on. However there's one last thing I need: some
normal domain users need administrative rights on their local machines.
I know I can go into each workstation and add the user to local
administrators group, however that's not the right way to do it. Can I have
it set on the domain level, so that if the user login on any workstation, he
will be granted the correct local admin rights on that workstation?
Here's what I tried, user 'producao' (id=10003) and group 'Local Admins'
# net groupmap list
Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> Financeiro
Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> Local Admins
Here you can see that 'Local Admins' has the correct RID (544).
# getent group |grep Admin
# getent passwd |grep producao
User 'producao' is a member of 'Local Admins' group (secondary, since I read
that BUILTIN groups cannot be a primary group for a user in a windows NT4
# /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech "cn=Local
# extended LDIF
# base <> with scope subtree
# filter: cn=Local Admins
# requesting: ALL
# Local Admins, groups, colortechdp.com.br
dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
displayName: Local Admins
description: Local Admins
cn: Local Admins
And the information on the LDAP server seems to be correct, including the
sambaGroupType property set to 5, instead of 2.
So, what is wrong in here? Or it isn't possible to do it in the domain
More information about the samba