[Samba] Local Administrators (group) and delegation in AD
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 29 11:23:21 UTC 2015
On 29/10/15 09:47, Davor Vusir wrote:
> On 2015-10-29 09:52, Rowland Penny wrote:
>> On 29/10/15 08:34, Davor Vusir wrote:
>>> Hi all!
>>>
>>> We have got many delegations in our AD. To add a certain
>>> administrator group to the local Administrators group you can use
>>> GPO for Windowsservers. As Samba does not understand GPO I have
>>> initially used the "username map" feature to add a domain account to
>>> become root. After the appropriate group is added via Computer
>>> Management MMC by the delegated administrator, the line "username
>>> map" is commented and Samba is restarted. After this procedure the
>>> delegated administrators have got proper access to the server. Not
>>> using this feature of course renders access denied error when
>>> attempting to add an AD-group to the local Administrators group.
>>>
>>> If Winbind is disabled you get the well known SID in members list in
>>> the properties dialog for the local Administrators group instead of
>>> the human readable names (AD\Domain Admins...).
>>>
>>> We are using SSSD to retrieve user- and groupinfo from AD, therefore
>>> is the AD-backend commented in smb.conf.
>>>
>>> Do you know of another way of doing this?
>>>
>>> Regards
>>> Davor vusir
>>>
>>> Relevant part of smb.conf:
>>> # username map = /etc/samba/usermap
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2200000001-2200100000
>>> # idmap config AD:backend = ad
>>> # idmap config AD:schema_mode = rfc2307
>>> # idmap config AD:range = 1000-2200000000
>>> # winbind nss info = rfc2307
>>>
>>>
>>> Relevant part of nsswitch.conf:
>>> passwd: files sss winbind
>>> shadow: files
>>> group: files sss winbind
>>>
>>>
>>>
>>
>> So, you are having problems by not using winbind and you are asking
>> for help with sssd on a samba mailing list, I can think of ways
>> around this, but they involve not using sssd. You may get help with
>> this on the sssd mailing list.
>>
>> Rowland
>>
>>
> No, Rowland. I'm not asking for help with SSSD. It's working quite
> fine. And so is winbind. And both are running fine together. I'm
> asking if there is another way of delegating administrator access to a
> Sambaserver. A more elegant way than what I have described.
>
> I would be grateful if you could share your thoughts.
>
> /Davor
>
How about this:
ssh into the DC, either as root or as a user that can use sudo (you can
use kerberos, but I am not going into that here)
Create the group:
samba-tool group add unixadmins --gid-number=GID_NUMBER
--nis-domain=NIS_DOMAIN
Add the group to Administrators:
samba-tool group addmembers Administrators unixadmins
Add the required users to unixadmins, they should get the same rights as
if they were directly members of Administrators.
samba-tool group addmembers unixadmins anADuser
Now with setfacl, give the group unixadmins the required permissions on
the share
Rowland
More information about the samba
mailing list