[Samba] Local Administrators (group) and delegation in AD

Davor Vusir davortvusir at gmail.com
Thu Oct 29 09:47:11 UTC 2015 

On 2015-10-29 09:52, Rowland Penny wrote:
> On 29/10/15 08:34, Davor Vusir wrote:
>> Hi all!
>>
>> We have got many delegations in our AD. To add a certain 
>> administrator group to the local Administrators group you can use GPO 
>> for Windowsservers. As Samba does not understand GPO I have initially 
>> used the "username map" feature to add a domain account to become 
>> root. After the appropriate group is added via Computer Management 
>> MMC by the delegated administrator, the line "username map" is 
>> commented and Samba is restarted. After this procedure the delegated 
>> administrators have got proper access to the server. Not using this 
>> feature of course renders access denied error when attempting to add 
>> an AD-group to the local Administrators group.
>>
>> If Winbind is disabled you get the well known SID in members list in 
>> the properties dialog for the local Administrators group instead of 
>> the human readable names (AD\Domain Admins...).
>>
>> We are using SSSD to retrieve user- and groupinfo from AD, therefore 
>> is the AD-backend commented in smb.conf.
>>
>> Do you know of another way of doing this?
>>
>> Regards
>> Davor vusir
>>
>> Relevant part of smb.conf:
>> #  username map = /etc/samba/usermap
>>
>> idmap config *:backend = tdb
>>   idmap config *:range = 2200000001-2200100000
>> #  idmap config AD:backend = ad
>> #  idmap config AD:schema_mode = rfc2307
>> #  idmap config AD:range = 1000-2200000000
>> #  winbind nss info = rfc2307
>>
>>
>> Relevant part of nsswitch.conf:
>> passwd:     files sss winbind
>> shadow:     files
>> group:      files sss winbind
>>
>>
>>
>
> So, you are having problems by not using winbind and you are asking 
> for help with sssd on a samba mailing list, I can think of ways around 
> this, but they involve not using sssd. You may get help with this on 
> the sssd mailing list.
>
> Rowland
>
>
No, Rowland. I'm not asking for help with SSSD. It's working quite fine. 
And so is winbind. And both are running fine together. I'm asking if 
there is another way of delegating administrator access to a 
Sambaserver. A more elegant way than what I have described.

I would be grateful if you could share your thoughts.

/Davor

More information about the samba mailing list