On Fri, Oct 30, 2015 at 11:45:00AM +0100, Davor Vusir wrote:
On 2015-10-29 12:02, Sumit Bose wrote:
On Thu, Oct 29, 2015 at 09:43:41AM +0100, Davor Vusir wrote:
Hi all!
We have got many delegations in our AD. To add a certain administrator group to the local Administrators group you can use GPO for Windowsservers. As Samba does not understand GPO I have initially used the "username map" feature to add a domain account to become root. After the appropriate group is added via Computer Management MMC by the delegated administrator, the line "username map" is commented and Samba is restarted. After this procedure the delegated administrators have got proper access to the server. Not using this feature of course renders access denied error when attempting to add an AD-group to the local Administrators group.
If Winbind is disabled you get the well known SID in members list in the properties dialog for the local Administrators group instead of the human readable names (AD\Domain Admins...).
Maybe SSSD's version of libwbclient might help here. It is available on Fedora/RHEL in the sssd-libwbclient package. It might be necessary to use the alternatives tool to switch from the Samba version of the library to SSSD's version.
Please note the SSSD's libwbclient does not implement the comple API of libwbclient so it might not fix all yours needs.
HTH
bye, Sumit
Hi Sumit!
Unfortunately it doesn't: [root@ct-srv001-t ~]# net groupmap list -U davor Administrators (S-1-5-32-544) -> -2094967295 Users (S-1-5-32-545) -> -2094967294
SSSD currently does not support the mapping of well-known SIDs to POSIX UIDs or GIDs. Additionally I think the net utility will look directly into Samba databases. Since the well-known SIDs to not correspond to a specific domain Samba will use 'idmap config *:range = 2200000001-2200100000' to map them. Please note that 2200000001 is larger than 2^31 and the net utility might display signed values, e.g.
2^32 - 2094967295 = 2200000001
bye, Sumit
Regards Davor
We are using SSSD to retrieve user- and groupinfo from AD, therefore is the AD-backend commented in smb.conf.
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that the local provider is using LDB-files for storing information. Is it possible to use the files used by Samba/Winbind to retrieve the users and groups in the local "SAM", eg the local Administrators and Users group?
Regards Davor vusir
Relevant part of smb.conf: # username map = /etc/samba/usermap
idmap config *:backend = tdb idmap config *:range = 2200000001-2200100000 # idmap config AD:backend = ad # idmap config AD:schema_mode = rfc2307 # idmap config AD:range = 1000-2200000000 # winbind nss info = rfc2307
Relevant part of nsswitch.conf: passwd: files sss winbind shadow: files group: files sss winbind _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users