[Samba] Local Administrators (group) and delegation in AD

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 29 11:23:21 UTC 2015 

On 29/10/15 09:47, Davor Vusir wrote:
> On 2015-10-29 09:52, Rowland Penny wrote:
>> On 29/10/15 08:34, Davor Vusir wrote:
>>> Hi all!
>>>
>>> We have got many delegations in our AD. To add a certain 
>>> administrator group to the local Administrators group you can use 
>>> GPO for Windowsservers. As Samba does not understand GPO I have 
>>> initially used the "username map" feature to add a domain account to 
>>> become root. After the appropriate group is added via Computer 
>>> Management MMC by the delegated administrator, the line "username 
>>> map" is commented and Samba is restarted. After this procedure the 
>>> delegated administrators have got proper access to the server. Not 
>>> using this feature of course renders access denied error when 
>>> attempting to add an AD-group to the local Administrators group.
>>>
>>> If Winbind is disabled you get the well known SID in members list in 
>>> the properties dialog for the local Administrators group instead of 
>>> the human readable names (AD\Domain Admins...).
>>>
>>> We are using SSSD to retrieve user- and groupinfo from AD, therefore 
>>> is the AD-backend commented in smb.conf.
>>>
>>> Do you know of another way of doing this?
>>>
>>> Regards
>>> Davor vusir
>>>
>>> Relevant part of smb.conf:
>>> #  username map = /etc/samba/usermap
>>>
>>> idmap config *:backend = tdb
>>>   idmap config *:range = 2200000001-2200100000
>>> #  idmap config AD:backend = ad
>>> #  idmap config AD:schema_mode = rfc2307
>>> #  idmap config AD:range = 1000-2200000000
>>> #  winbind nss info = rfc2307
>>>
>>>
>>> Relevant part of nsswitch.conf:
>>> passwd:     files sss winbind
>>> shadow:     files
>>> group:      files sss winbind
>>>
>>>
>>>
>>
>> So, you are having problems by not using winbind and you are asking 
>> for help with sssd on a samba mailing list, I can think of ways 
>> around this, but they involve not using sssd. You may get help with 
>> this on the sssd mailing list.
>>
>> Rowland
>>
>>
> No, Rowland. I'm not asking for help with SSSD. It's working quite 
> fine. And so is winbind. And both are running fine together. I'm 
> asking if there is another way of delegating administrator access to a 
> Sambaserver. A more elegant way than what I have described.
>
> I would be grateful if you could share your thoughts.
>
> /Davor
>

How about this:

ssh into the DC, either as root or as a user that can use sudo (you can 
use kerberos, but I am not going into that here)

Create the group:
samba-tool group add unixadmins --gid-number=GID_NUMBER 
--nis-domain=NIS_DOMAIN

Add the group to Administrators:
samba-tool group addmembers Administrators unixadmins

Add the required users to unixadmins, they should get the same rights as 
if they were directly members of Administrators.
samba-tool group addmembers unixadmins anADuser

Now with setfacl, give the group unixadmins the required permissions on 
the share

Rowland

More information about the samba mailing list