[Samba] Local Administrators (group) and delegation in AD

Davor Vusir davortvusir at gmail.com
Wed Nov 4 19:05:22 UTC 2015

Rowland Penny skrev den 2015-11-04 16:49:
> On 04/11/15 15:09, mathias dufresne wrote:
>> As Davor wants to delegate I  expect he does not want to give
>  > Administrator password to these persons ;) And using a keytab to
>  > avoid giving them the password is not a solution: they would be able
>  > to perform everything they want on samba, which is certainly far from
>  > the delegation he initially thought...
> Ah, what I posted was the same as what Davor posted, just doing it
> another way. If you run the command on the DC as root, you don't need
> the '-UAdministrator' part. It just adds the group 'Domain Admins' to
> the group 'Administrators'
> Also, if I remember correctly, you still need the Administrator password
> if you do it Davor's way.

In my initial mail I wrote "We have got many _delegations_ in our AD. To 
add a _certain_ administrator group to the local Administrators group 
you can use GPO for Windowsservers." (my emphasis).

We've got the uberadmins, the Enterprise and Domain Admins groups. I've 
got such an account. There are of course a a lot of ordinary domain user 
accounts. This I also have got. With this I do the ordinary stuff; check 
mail, check the queue in the support system,... There are also a number 
of administrators that are delegated the right to manage an OU for a 
part of the organization. Lets call them OU-admins. I've got such an 
account as well. With this account I can do certain tasks within the OU 
I'm delegated. Like create a sub-OU, GPO, a user account or even a 
computer account. But I cannot do stuff like the uberadmins, the Domain 
Admins. I can't for instanse create a subdomain or a DFS Namespace.

With the Domain Admin account I can delegate certain privileges or do 
the scary stuff, like demoting a a domain controller or revoking a 
OU-admins hens rights. If I were to logon to a member server with my 
Domain Admin account, on this Enterprise class ship, to add an arbitrary 
group to the server domains Administrator group (SERVER\Administrators), 
I would probably be thrown in the brig. Therefore I need to add the 
group in a OU-admin context. If I logon to a Samba server with my 
OU-admin account and try to add a group to SAMBASERVER\Administrators I 
will get access denied. And the reason is that this account isn't member 
of the Domain Admins group.

I can install, configure and join a Samba server at will to the Windows 
domain in a OU-admin context. But I can't add my or my fellow collegues 
OU-admin group to the _Samba servers_ Administrator group. The account 
or group does not need to be/should not be a Linuxadministrator. Just 
Samba administrator. The only way I've come up with is using the 
username map initially.

Is there another way? The only answer I've got is: No. There isn't.

Hope it's somewhat clearer.


> Rowland

More information about the samba mailing list