[Samba] Local Administrators (group) and delegation in AD
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 29 08:52:00 UTC 2015
On 29/10/15 08:34, Davor Vusir wrote:
> Hi all!
>
> We have got many delegations in our AD. To add a certain administrator
> group to the local Administrators group you can use GPO for
> Windowsservers. As Samba does not understand GPO I have initially used
> the "username map" feature to add a domain account to become root.
> After the appropriate group is added via Computer Management MMC by
> the delegated administrator, the line "username map" is commented and
> Samba is restarted. After this procedure the delegated administrators
> have got proper access to the server. Not using this feature of course
> renders access denied error when attempting to add an AD-group to the
> local Administrators group.
>
> If Winbind is disabled you get the well known SID in members list in
> the properties dialog for the local Administrators group instead of
> the human readable names (AD\Domain Admins...).
>
> We are using SSSD to retrieve user- and groupinfo from AD, therefore
> is the AD-backend commented in smb.conf.
>
> Do you know of another way of doing this?
>
> Regards
> Davor vusir
>
> Relevant part of smb.conf:
> # username map = /etc/samba/usermap
>
> idmap config *:backend = tdb
> idmap config *:range = 2200000001-2200100000
> # idmap config AD:backend = ad
> # idmap config AD:schema_mode = rfc2307
> # idmap config AD:range = 1000-2200000000
> # winbind nss info = rfc2307
>
>
> Relevant part of nsswitch.conf:
> passwd: files sss winbind
> shadow: files
> group: files sss winbind
>
>
>
So, you are having problems by not using winbind and you are asking for
help with sssd on a samba mailing list, I can think of ways around this,
but they involve not using sssd. You may get help with this on the sssd
mailing list.
Rowland
More information about the samba
mailing list