On 2015-10-29 12:02, Sumit Bose wrote:
On Thu, Oct 29, 2015 at 09:43:41AM +0100, Davor Vusir wrote:
> Hi all!
>
> We have got many delegations in our AD. To add a certain administrator group
> to the local Administrators group you can use GPO for Windowsservers. As
> Samba does not understand GPO I have initially used the "username map"
> feature to add a domain account to become root. After the appropriate group
> is added via Computer Management MMC by the delegated administrator, the
> line "username map" is commented and Samba is restarted. After this
> procedure the delegated administrators have got proper access to the server.
> Not using this feature of course renders access denied error when attempting
> to add an AD-group to the local Administrators group.
>
> If Winbind is disabled you get the well known SID in members list in the
> properties dialog for the local Administrators group instead of the human
> readable names (AD\Domain Admins...).
Maybe SSSD's version of libwbclient might help here. It is available on
Fedora/RHEL in the sssd-libwbclient package. It might be necessary to use
the alternatives tool to switch from the Samba version of the library to
SSSD's version.
Please note the SSSD's libwbclient does not implement the comple API of
libwbclient so it might not fix all yours needs.
HTH
bye,
Sumit
Hi Sumit!
Unfortunately it doesn't:
[root@ct-srv001-t ~]# net groupmap list -U davor
Administrators (S-1-5-32-544) -> -2094967295
Users (S-1-5-32-545) -> -2094967294
Regards
Davor
> We are using SSSD to retrieve user- and groupinfo from AD,
therefore is the
> AD-backend commented in smb.conf.
>
>
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that the
> local provider is using LDB-files for storing information. Is it possible to
> use the files used by Samba/Winbind to retrieve the users and groups in the
> local "SAM", eg the local Administrators and Users group?
>
> Regards
> Davor vusir
>
> Relevant part of smb.conf:
> # username map = /etc/samba/usermap
>
> idmap config *:backend = tdb
> idmap config *:range = 2200000001-2200100000
> # idmap config AD:backend = ad
> # idmap config AD:schema_mode = rfc2307
> # idmap config AD:range = 1000-2200000000
> # winbind nss info = rfc2307
>
>
> Relevant part of nsswitch.conf:
> passwd: files sss winbind
> shadow: files
> group: files sss winbind
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users