[Samba] Reported group membership is different between domain member and Samba ADC
John R. Graham
john at graham-family.org
Fri Feb 14 17:14:18 UTC 2025
On 2/14/25 11:22, Rowland Penny via samba wrote:
> Well yes, you can do it that way, but there is an easier way.
> There is a group in AD called 'Domain Admins'
> Add any AD users that you want to be domain administrators to that
> group, then, using visudo add this line to the sudo config:
>
> %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL
>
> Where 'SAMDOM' is your NetBIOS domain name.
>
> Check that your users are members of Domain Admins, you can do this
> with 'getent group domain\ admins'
>
> Now when they log in your domain administrators will be able to use
> sudo.
>
> For extra brownie points, you could store the sudo rules in AD ;-)
>
> Rowland
>
As it turns out, I still have the same issue:
dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham
Added members to group Domain Admins
dc1 ~ # net cache flush
dc1 ~ # samba-tool group listmembers 'domain admins'
jgraham
Administrator
And yet:
dc1 ~ # id HOME\\jgraham
uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users)
groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users)
and also, logged in as me instead of root:
SAMDOM\jgraham at dc1 ~ $ getent group domain\ admins
SAMDOM\domain admins:x:3000000:
So, for an undiagnosed reason, the effective domain membership does not
include "domain admins" either.
- John
More information about the samba
mailing list