Sumit Bose skrev den 2015-10-30 16:23:
On Fri, Oct 30, 2015 at 11:45:00AM +0100, Davor Vusir wrote:
> On 2015-10-29 12:02, Sumit Bose wrote:
>> On Thu, Oct 29, 2015 at 09:43:41AM +0100, Davor Vusir wrote:
>>> Hi all!
>>>
>>> We have got many delegations in our AD. To add a certain administrator group
>>> to the local Administrators group you can use GPO for Windowsservers. As
>>> Samba does not understand GPO I have initially used the "username
map"
>>> feature to add a domain account to become root. After the appropriate group
>>> is added via Computer Management MMC by the delegated administrator, the
>>> line "username map" is commented and Samba is restarted. After
this
>>> procedure the delegated administrators have got proper access to the server.
>>> Not using this feature of course renders access denied error when attempting
>>> to add an AD-group to the local Administrators group.
>>>
>>> If Winbind is disabled you get the well known SID in members list in the
>>> properties dialog for the local Administrators group instead of the human
>>> readable names (AD\Domain Admins...).
>> Maybe SSSD's version of libwbclient might help here. It is available on
>> Fedora/RHEL in the sssd-libwbclient package. It might be necessary to use
>> the alternatives tool to switch from the Samba version of the library to
>> SSSD's version.
>>
>> Please note the SSSD's libwbclient does not implement the comple API of
>> libwbclient so it might not fix all yours needs.
>>
>> HTH
>>
>> bye,
>> Sumit
>
> Hi Sumit!
>
> Unfortunately it doesn't:
> [root@ct-srv001-t ~]# net groupmap list -U davor
> Administrators (S-1-5-32-544) -> -2094967295
> Users (S-1-5-32-545) -> -2094967294
SSSD currently does not support the mapping of well-known SIDs to POSIX
UIDs or GIDs. Additionally I think the net utility will look directly
into Samba databases. Since the well-known SIDs to not correspond to a
specific domain Samba will use 'idmap config *:range =
2200000001-2200100000' to map them. Please note that 2200000001 is
larger than 2^31 and the net utility might display signed values, e.g.
2^32 - 2094967295 = 2200000001
How clumsy of me! To my defense I thought that because Linux supports ~4
biljon uid also the net utility automatically supported it as well.
And Windows 2012 supports (after unlocking) 2^31 RIDs, so I thought it
would be a great idea to harmonise this (in some sense). On the other
hand we're scraping at the bottom of this barrel of RIDs and I will
probably retire before we hit the upper limit. I guess I was a litte
overambitious...
Thank you!
Davor Vusir
bye,
Sumit
>
> Regards
> Davor
>>> We are using SSSD to retrieve user- and groupinfo from AD, therefore is the
>>> AD-backend commented in smb.conf.
>>>
>>>
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that the
>>> local provider is using LDB-files for storing information. Is it possible to
>>> use the files used by Samba/Winbind to retrieve the users and groups in the
>>> local "SAM", eg the local Administrators and Users group?
>>>
>>> Regards
>>> Davor vusir
>>>
>>> Relevant part of smb.conf:
>>> # username map = /etc/samba/usermap
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2200000001-2200100000
>>> # idmap config AD:backend = ad
>>> # idmap config AD:schema_mode = rfc2307
>>> # idmap config AD:range = 1000-2200000000
>>> # winbind nss info = rfc2307
>>>
>>>
>>> Relevant part of nsswitch.conf:
>>> passwd: files sss winbind
>>> shadow: files
>>> group: files sss winbind
>>> _______________________________________________
>>> sssd-users mailing list
>>> sssd-users(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>