[Samba] Local Administrators (group) and delegation in AD
davortvusir at gmail.com
Wed Nov 4 19:05:22 UTC 2015
Rowland Penny skrev den 2015-11-04 16:49:
> On 04/11/15 15:09, mathias dufresne wrote:
>> As Davor wants to delegate I expect he does not want to give
> > Administrator password to these persons ;) And using a keytab to
> > avoid giving them the password is not a solution: they would be able
> > to perform everything they want on samba, which is certainly far from
> > the delegation he initially thought...
> Ah, what I posted was the same as what Davor posted, just doing it
> another way. If you run the command on the DC as root, you don't need
> the '-UAdministrator' part. It just adds the group 'Domain Admins' to
> the group 'Administrators'
> Also, if I remember correctly, you still need the Administrator password
> if you do it Davor's way.
In my initial mail I wrote "We have got many _delegations_ in our AD. To
add a _certain_ administrator group to the local Administrators group
you can use GPO for Windowsservers." (my emphasis).
We've got the uberadmins, the Enterprise and Domain Admins groups. I've
got such an account. There are of course a a lot of ordinary domain user
accounts. This I also have got. With this I do the ordinary stuff; check
mail, check the queue in the support system,... There are also a number
of administrators that are delegated the right to manage an OU for a
part of the organization. Lets call them OU-admins. I've got such an
account as well. With this account I can do certain tasks within the OU
I'm delegated. Like create a sub-OU, GPO, a user account or even a
computer account. But I cannot do stuff like the uberadmins, the Domain
Admins. I can't for instanse create a subdomain or a DFS Namespace.
With the Domain Admin account I can delegate certain privileges or do
the scary stuff, like demoting a a domain controller or revoking a
OU-admins hens rights. If I were to logon to a member server with my
Domain Admin account, on this Enterprise class ship, to add an arbitrary
group to the server domains Administrator group (SERVER\Administrators),
I would probably be thrown in the brig. Therefore I need to add the
group in a OU-admin context. If I logon to a Samba server with my
OU-admin account and try to add a group to SAMBASERVER\Administrators I
will get access denied. And the reason is that this account isn't member
of the Domain Admins group.
I can install, configure and join a Samba server at will to the Windows
domain in a OU-admin context. But I can't add my or my fellow collegues
OU-admin group to the _Samba servers_ Administrator group. The account
or group does not need to be/should not be a Linuxadministrator. Just
Samba administrator. The only way I've come up with is using the
username map initially.
Is there another way? The only answer I've got is: No. There isn't.
Hope it's somewhat clearer.
More information about the samba