[Samba] linux server a memeber of AD (with use of realm) - and samba?

mathias dufresne infractory at gmail.com
Mon May 23 12:14:34 UTC 2016

2016-05-19 19:06 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 19/05/16 17:37, lejeczek wrote:
>> On 19/05/16 16:49, Rowland penny wrote:
>>> On 19/05/16 15:50, lejeczek wrote:
>>>> fellow users
>>>> I'd like to ask is it possible, and if yes what's the correct way to
>>>> configure, to have local samba (where box has joined AD with realm) use
>>>> that memebership in a way to have users from AD user catalog.
>>>> I guess what I'm thinking is - how do I get those AD users that linux
>>>> now being a member sees, to samba and without windbinding & whole full AD
>>>> config? Kind of a: AD<=linux.SSSD=>linux.samba <= AD users access samba
>>>> go easy on me, I've never done samba+AD
>>>> many thanks,
>>>> L.
>>> If you want to use Linux + Samba + sssd with an AD domain, you are
>>> asking in the wrong place, try the sssd users mailing list.
>>> If however you want to use Samba with an AD domain, see here:
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>> Rowland
>> thanks Rowland
>> I'll do, check with sssd poeple,
>> last one - is it possible to join AD samba's way while one has only
>> admin/management control over an OU in AD domain and has NO Domain Admin
>> access?
>> I see realm does it but I wonder if Samba too can do it.
> Anything is possible I suppose, but why ?
> If by 'Domain Admin' you mean 'Administrator', you can replace this user,
> but somebody is going to have to be able to do what 'Administrator' does.
> What OP is searching is "delegation".
In AD we can delegate rights to some users or groups. Generally groups
receive delegation and users are put into these groups.

"Domain admins" is a group, it contains by default only one users, named
"administrator". "Domain admins" group give the most powerful role an AD
can give to a user.
The "Domain admins" role is a bunch a of roles, in fact it is almost all
roles available into AD grouped into one role.

The possibility to join members to AD domain is one role among all others.

Delegation is meant to avoid to give "Domain admins" role to anybody.
Delegation is meant to allow some groups to do some tasks, but not all

Delegation is complex as there are lot of roles into AD. Fortunately it is
also well documented for most of standard delegations as delegating the
possibility to join members or the possibility to modify accounts, these
are standard tasks for L1 people.

I didn't managed the delegation to join computers to our domain, a
colleague did. The tools he used:
- redircmp: change the default container where joined computers are stored.
- netdom: join a machine to the domain using command line and specifying
the destination OU.

Our full solution is:
- delegation: several OU to store computers. For each of these OU we
delegate role to join a computer to only one group (one OU = one group).
- users in these groups will use "netdom" to join computer to our domain.
They will specify one command line the destination OU.

Here two cases:
- the specified OU is the one they get delegation => they can join the
computer in that OU
- the specified OU is NOT the one they get delegation => they can't write
here so AD will refuse the join.

Hoping this could help

> How does realm (I think you mean realmd) do this, can you post a link to
> something that describes how to.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list