Hi all!

We have got many delegations in our AD. To add a certain administrator group to the local Administrators group you can use GPO for Windowsservers. As Samba does not understand GPO I have initially used the "username map" feature to add a domain account to become root. After the appropriate group is added via Computer Management MMC by the delegated administrator, the line "username map" is commented and Samba is restarted. After this procedure the delegated administrators have got proper access to the server. Not using this feature of course renders access denied error when attempting to add an AD-group to the local Administrators group.

If Winbind is disabled you get the well known SID in members list in the properties dialog for the local Administrators group instead of the human readable names (AD\Domain Admins...).

We are using SSSD to retrieve user- and groupinfo from AD, therefore is the AD-backend commented in smb.conf.

https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that the local provider is using LDB-files for storing information. Is it possible to use the files used by Samba/Winbind to retrieve the users and groups in the local "SAM", eg the local Administrators and Users group?

Regards
Davor vusir

Relevant part of smb.conf:
#  username map = /etc/samba/usermap

idmap config *:backend = tdb
  idmap config *:range = 2200000001-2200100000
#  idmap config AD:backend = ad
#  idmap config AD:schema_mode = rfc2307
#  idmap config AD:range = 1000-2200000000
#  winbind nss info = rfc2307



Relevant part of nsswitch.conf:
passwd:     files sss winbind
shadow:     files
group:      files sss winbind