[Samba] linux server a memeber of AD (with use of realm) - and samba?

[lejeczek]

On 23/05/16 13:14, mathias dufresne wrote:
> 2016-05-19 19:06 GMT+02:00 Rowland penny <rpenny at samba.org>:
>
>> On 19/05/16 17:37, lejeczek wrote:
>>
>>>
>>> On 19/05/16 16:49, Rowland penny wrote:
>>>
>>>> On 19/05/16 15:50, lejeczek wrote:
>>>>
>>>>> fellow users
>>>>>
>>>>> I'd like to ask is it possible, and if yes what's the correct way to
>>>>> configure, to have local samba (where box has joined AD with realm) use
>>>>> that memebership in a way to have users from AD user catalog.
>>>>> I guess what I'm thinking is - how do I get those AD users that linux
>>>>> now being a member sees, to samba and without windbinding & whole full AD
>>>>> config? Kind of a: AD<=linux.SSSD=>linux.samba <= AD users access samba
>>>>>
>>>>> go easy on me, I've never done samba+AD
>>>>> many thanks,
>>>>> L.
>>>>>
>>>>>
>>>>>
>>>> If you want to use Linux + Samba + sssd with an AD domain, you are
>>>> asking in the wrong place, try the sssd users mailing list.
>>>>
>>>> If however you want to use Samba with an AD domain, see here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>>> Rowland
>>>>
>>> thanks Rowland
>>> I'll do, check with sssd poeple,
>>> last one - is it possible to join AD samba's way while one has only
>>> admin/management control over an OU in AD domain and has NO Domain Admin
>>> access?
>>> I see realm does it but I wonder if Samba too can do it.
>>>
>>>
>>>
>> Anything is possible I suppose, but why ?
>> If by 'Domain Admin' you mean 'Administrator', you can replace this user,
>> but somebody is going to have to be able to do what 'Administrator' does.
>>
>> What OP is searching is "delegation".
> In AD we can delegate rights to some users or groups. Generally groups
> receive delegation and users are put into these groups.
>
> "Domain admins" is a group, it contains by default only one users, named
> "administrator". "Domain admins" group give the most powerful role an AD
> can give to a user.
> The "Domain admins" role is a bunch a of roles, in fact it is almost all
> roles available into AD grouped into one role.
>
> The possibility to join members to AD domain is one role among all others.
>
> Delegation is meant to avoid to give "Domain admins" role to anybody.
> Delegation is meant to allow some groups to do some tasks, but not all
> tasks.
>
> Delegation is complex as there are lot of roles into AD. Fortunately it is
> also well documented for most of standard delegations as delegating the
> possibility to join members or the possibility to modify accounts, these
> are standard tasks for L1 people.
>
> I didn't managed the delegation to join computers to our domain, a
> colleague did. The tools he used:
> - redircmp: change the default container where joined computers are stored.
> - netdom: join a machine to the domain using command line and specifying
> the destination OU.
>
> Our full solution is:
> - delegation: several OU to store computers. For each of these OU we
> delegate role to join a computer to only one group (one OU = one group).
> - users in these groups will use "netdom" to join computer to our domain.
> They will specify one command line the destination OU.
>
> Here two cases:
> - the specified OU is the one they get delegation => they can join the
> computer in that OU
> - the specified OU is NOT the one they get delegation => they can't write
> here so AD will refuse the join.
>
> Hoping this could help
>
hi, yes, thanks, just to share with those thinking/trying 
this - yes, one can join a linux box to AD having access to 
account that's been delegated to manage an OU, actually 
pretty easily with regulars tools without special tampering 
- without being a AD  admin.
>
>> How does realm (I think you mean realmd) do this, can you post a link to
>> something that describes how to.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>