On Fri, Oct 30, 2015 at 11:45:00AM +0100, Davor Vusir wrote:
On 2015-10-29 12:02, Sumit Bose wrote:
>On Thu, Oct 29, 2015 at 09:43:41AM +0100, Davor Vusir wrote:
>>We have got many delegations in our AD. To add a certain administrator group
>>to the local Administrators group you can use GPO for Windowsservers. As
>>Samba does not understand GPO I have initially used the "username map"
>>feature to add a domain account to become root. After the appropriate group
>>is added via Computer Management MMC by the delegated administrator, the
>>line "username map" is commented and Samba is restarted. After this
>>procedure the delegated administrators have got proper access to the server.
>>Not using this feature of course renders access denied error when attempting
>>to add an AD-group to the local Administrators group.
>>If Winbind is disabled you get the well known SID in members list in the
>>properties dialog for the local Administrators group instead of the human
>>readable names (AD\Domain Admins...).
>Maybe SSSD's version of libwbclient might help here. It is available on
>Fedora/RHEL in the sssd-libwbclient package. It might be necessary to use
>the alternatives tool to switch from the Samba version of the library to
>Please note the SSSD's libwbclient does not implement the comple API of
>libwbclient so it might not fix all yours needs.
Unfortunately it doesn't:
[root@ct-srv001-t ~]# net groupmap list -U davor
Administrators (S-1-5-32-544) -> -2094967295
Users (S-1-5-32-545) -> -2094967294
SSSD currently does not support the mapping of well-known SIDs to POSIX
UIDs or GIDs. Additionally I think the net utility will look directly
into Samba databases. Since the well-known SIDs to not correspond to a
specific domain Samba will use 'idmap config *:range =
2200000001-2200100000' to map them. Please note that 2200000001 is
larger than 2^31 and the net utility might display signed values, e.g.
2^32 - 2094967295 = 2200000001
>>We are using SSSD to retrieve user- and groupinfo from AD, therefore is the
>>AD-backend commented in smb.conf.
>>https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that the
>>local provider is using LDB-files for storing information. Is it possible to
>>use the files used by Samba/Winbind to retrieve the users and groups in the
>>local "SAM", eg the local Administrators and Users group?
>>Relevant part of smb.conf:
>># username map = /etc/samba/usermap
>>idmap config *:backend = tdb
>> idmap config *:range = 2200000001-2200100000
>># idmap config AD:backend = ad
>># idmap config AD:schema_mode = rfc2307
>># idmap config AD:range = 1000-2200000000
>># winbind nss info = rfc2307
>>Relevant part of nsswitch.conf:
>>passwd: files sss winbind
>>group: files sss winbind
>>sssd-users mailing list