[Samba] Samba PDC + LDAP: adding user to local admin group

L.P.H. van Belle belle at bazuin.nl
Fri Oct 10 07:17:12 GMT 2008

hmmm giving users local admin rights, thats not the way to do it.
and makes your network insecure.. 
Better control this through de domain groups.

this is how i do it. 

i create a domain groep, add the users in it, and through loginscript
i create a local group and add the domain group in it.
now on directories/files or in registry i give the local group the needed



>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens 
>Gustavo Michels
>Verzonden: donderdag 9 oktober 2008 22:27
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group
>Hi all,
>I'm evaluating Zimbra [1] as the groupware server for my small 
>company. It
>uses OpenLDAP for authentication services and I'm configuring 
>a Samba server
>as a PDC for my company, using the same ldap backend.
>So far, so good, everything is working beautifully well, I can 
>add computers
>to the domain, login from any workstation, access shares with the
>appropriate rights and so on. However there's one last thing I 
>need: some
>normal domain users need administrative rights on their local machines.
>I know I can go into each workstation and add the user to local
>administrators group, however that's not the right way to do 
>it. Can I have
>it set on the domain level, so that if the user login on any 
>workstation, he
>will be granted the correct local admin rights on that workstation?
>Here's what I tried, user 'producao' (id=10003) and group 
>'Local Admins'
># net groupmap list
>Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
>Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
>Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
>Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> 
>Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> 
>Local Admins
>Here you can see that 'Local Admins' has the correct RID (544).
># getent group |grep Admin
>Local Admins:*:10005:10003
># getent passwd |grep producao
>User 'producao' is a member of 'Local Admins' group 
>(secondary, since I read
>that BUILTIN groups cannot be a primary group for a user in a 
>windows NT4
># /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech 
># extended LDIF
># LDAPv3
># base <> with scope subtree
># filter: cn=Local Admins
># requesting: ALL
># Local Admins, groups, colortechdp.com.br
>dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
>gidNumber: 10005
>displayName: Local Admins
>sambaGroupType: 5
>description: Local Admins
>cn: Local Admins
>sambaSID: S-1-5-21-594618841-1354246140-1601124177-544
>memberUid: 10003
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>And the information on the LDAP server seems to be correct, 
>including the
>sambaGroupType property set to 5, instead of 2.
>So, what is wrong in here? Or it isn't possible to do it in the domain
>[1] http://www.zimbra.com

More information about the samba mailing list