Hi all!
We have got many delegations in our AD. To add a certain
administrator group to the local Administrators group you can use
GPO for Windowsservers. As Samba does not understand GPO I have
initially used the "username map" feature to add a domain account to
become root. After the appropriate group is added via Computer
Management MMC by the delegated administrator, the line "username
map" is commented and Samba is restarted. After this procedure the
delegated administrators have got proper access to the server. Not
using this feature of course renders access denied error when
attempting to add an AD-group to the local Administrators group.
If Winbind is disabled you get the well known SID in members list in
the properties dialog for the local Administrators group instead of
the human readable names (AD\Domain Admins...).
We are using SSSD to retrieve user- and groupinfo from AD, therefore
is the AD-backend commented in smb.conf.
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions
that the local provider is using LDB-files for storing information.
Is it possible to use the files used by Samba/Winbind to retrieve
the users and groups in the local "SAM", eg the local Administrators
and Users group?
Regards
Davor vusir
Relevant part of smb.conf:
# username map
= /etc/samba/usermap
idmap config *:backend = tdb
idmap config *:range = 2200000001-2200100000
# idmap config AD:backend = ad
# idmap config AD:schema_mode = rfc2307
# idmap config AD:range = 1000-2200000000
# winbind nss info = rfc2307
Relevant part of nsswitch.conf:
passwd: files sss
winbind
shadow: files
group: files sss winbind