[Samba] Samba PDC + LDAP: adding user to local admin group
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 10 07:17:12 GMT 2008
hmmm giving users local admin rights, thats not the way to do it.
and makes your network insecure..
Better control this through de domain groups.
this is how i do it.
i create a domain groep, add the users in it, and through loginscript
i create a local group and add the domain group in it.
now on directories/files or in registry i give the local group the needed
rights.
Louis
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl at lists.samba.org
>[mailto:samba-bounces+belle=bazuin.nl at lists.samba.org] Namens
>Gustavo Michels
>Verzonden: donderdag 9 oktober 2008 22:27
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group
>
>Hi all,
>
>I'm evaluating Zimbra [1] as the groupware server for my small
>company. It
>uses OpenLDAP for authentication services and I'm configuring
>a Samba server
>as a PDC for my company, using the same ldap backend.
>
>So far, so good, everything is working beautifully well, I can
>add computers
>to the domain, login from any workstation, access shares with the
>appropriate rights and so on. However there's one last thing I
>need: some
>normal domain users need administrative rights on their local machines.
>
>I know I can go into each workstation and add the user to local
>administrators group, however that's not the right way to do
>it. Can I have
>it set on the domain level, so that if the user login on any
>workstation, he
>will be granted the correct local admin rights on that workstation?
>
>Here's what I tried, user 'producao' (id=10003) and group
>'Local Admins'
>(id=10005):
>
># net groupmap list
>Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas
>Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins
>Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao
>Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) ->
>Financeiro
>Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) ->
>Local Admins
>
>Here you can see that 'Local Admins' has the correct RID (544).
>
># getent group |grep Admin
>Admins:*:10002:
>Local Admins:*:10005:10003
>
># getent passwd |grep producao
>producao:*:10003:10003:Produção
>Colortech:/colortech/homes/producao:/bin/false
>
>User 'producao' is a member of 'Local Admins' group
>(secondary, since I read
>that BUILTIN groups cannot be a primary group for a user in a
>windows NT4
>domain).
>
># /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech
>"cn=Local
>Admins"
># extended LDIF
>#
># LDAPv3
># base <> with scope subtree
># filter: cn=Local Admins
># requesting: ALL
>#
>
># Local Admins, groups, colortechdp.com.br
>dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br
>gidNumber: 10005
>displayName: Local Admins
>sambaGroupType: 5
>description: Local Admins
>cn: Local Admins
>sambaSID: S-1-5-21-594618841-1354246140-1601124177-544
>memberUid: 10003
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>
>And the information on the LDAP server seems to be correct,
>including the
>sambaGroupType property set to 5, instead of 2.
>
>So, what is wrong in here? Or it isn't possible to do it in the domain
>level?
>
>Thanks
>Gustavo
>
>[1] http://www.zimbra.com
>
More information about the samba
mailing list