[Samba] Samba PDC + LDAP: adding user to local admin group
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 10 07:17:12 GMT 2008
hmmm giving users local admin rights, thats not the way to do it.
and makes your network insecure..
Better control this through de domain groups.
this is how i do it.
i create a domain groep, add the users in it, and through loginscript
i create a local group and add the domain group in it.
now on directories/files or in registry i give the local group the needed
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens
>Verzonden: donderdag 9 oktober 2008 22:27
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group
>I'm evaluating Zimbra  as the groupware server for my small
>uses OpenLDAP for authentication services and I'm configuring
>a Samba server
>as a PDC for my company, using the same ldap backend.
>So far, so good, everything is working beautifully well, I can
>to the domain, login from any workstation, access shares with the
>appropriate rights and so on. However there's one last thing I
>normal domain users need administrative rights on their local machines.
>I know I can go into each workstation and add the user to local
>administrators group, however that's not the right way to do
>it. Can I have
>it set on the domain level, so that if the user login on any
>will be granted the correct local admin rights on that workstation?
>Here's what I tried, user 'producao' (id=10003) and group
># net groupmap list
>Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
>Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
>Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
>Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) ->
>Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) ->
>Here you can see that 'Local Admins' has the correct RID (544).
># getent group |grep Admin
># getent passwd |grep producao
>User 'producao' is a member of 'Local Admins' group
>(secondary, since I read
>that BUILTIN groups cannot be a primary group for a user in a
># /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech
># extended LDIF
># base <> with scope subtree
># filter: cn=Local Admins
># requesting: ALL
># Local Admins, groups, colortechdp.com.br
>dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
>displayName: Local Admins
>description: Local Admins
>cn: Local Admins
>And the information on the LDAP server seems to be correct,
>sambaGroupType property set to 5, instead of 2.
>So, what is wrong in here? Or it isn't possible to do it in the domain
More information about the samba