[Samba] Administrative users on domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jul 17 12:53:15 MDT 2013 

On 07/17/13 14:32, Donny Brooks wrote:
>   
>   
>   
> On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
>   
>> According to the net man page
>>
>>
>>          In order for Samba to be joined or unjoined remotely an account
>> must be
>>          used that is either member of the Domain Admins group, a member
>> of the
>>          local Administrators group or a user that is granted the
>>          SeMachineAccountPrivilege privilege.
>>
>>
>>
>>
>> The simplest thing is probably to have the Domain IT group be a member
>> of the local admin group on each machine.  I don't know if you would
>> need to grant them the  SeMachineAccountPrivilege.
>>
>>
>>
>> On 07/17/13 09:44, Donny Brooks wrote:
>>>    
>>>
>>>    
>>> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld <samba at marc-muehlfeld.de> wrote:
>>>    
>>>> Hello Donny,
>>>>
>>>> Am 12.07.2013 21:34, schrieb Donny Brooks:
>>>>> On the old domain, which was setup before I got here,
>>>>    > our IT section was in an ldap group that allowed us to
>>>>    > join PC's to the domain ...
>>>>
>>>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions
>>>>
>>>>
>>>>
>>>>
>>>>    > ... and when the prompt came up in windows to
>>>>    > install software we could log in as ourselves.
>>>>
>>>> What do you mean by this? Do you want to have a group of users
>>>> automatically in the "administrator" group on your workstations?
>>>>
>>>> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s
>>>>
>>>> If you mean something else, please give some more details.
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>>
>>>>
>>>>
>>>>
>>>    
>>> Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>   
> Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
>
> And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue?

Group mapping is to make sure Windows groups map to the correct unix 
group.      This is not like mapping a Windows user name to a different 
unix user name (e.g Windows Administrator = Unix root.)

With LDAP, group mapping is usually simpler since the LDAP object for a 
group usually has the Samba SID and the unix group id.     The "net  
groupmap list" command is useful for validating this.   You want to make 
sure that you do see group mapping for "Domain Admins" and "Domain 
Users" and other well known groups.  You are more likely to have to use 
the "net groupmap add" command when you don't have LDAP.


Well known groups have to specific relative ID's.  The domain admin 
group HAS to have a relative ID of 512 in the SID.    You have to make 
sure the Administrator is in the group.   That behavior changes with 
versions newer than 3.0.x




#net  groupmap list
....
Domain Admins (S-1-5-21-xxxx-xxxxx-xxxxx-512) -> Domain Admins
...
# getent group "Domain Admins"
Domain Admins::512:Administrator
#


I don't think you have a samba issue.  I think you have a general 
"windows" issue about the most practical way to provide IT group with 
sufficient privileges to manage computers with out giving too much access.


Depending on the size of your IT department, and the necessity to 
audit/control you makes what change, each IT user may need two accounts, 
one that is a regular account and one that is a member of the domain 
admins and local admins  group.  (e.g. donny and donny_admin.)    this 
way they can do whatever they need, but they don't run as admin for 
routine tasks, and you can track who made what change (if need be)  or 
limit who has full  admin rights.

More information about the samba mailing list