Hi all, I'm evaluating Zimbra [1] as the groupware server for my small company. It uses OpenLDAP for authentication services and I'm configuring a Samba server as a PDC for my company, using the same ldap backend.
So far, so good, everything is working beautifully well, I can add computers to the domain, login from any workstation, access shares with the appropriate rights and so on. However there's one last thing I need: some normal domain users need administrative rights on their local machines. I know I can go into each workstation and add the user to local administrators group, however that's not the right way to do it. Can I have it set on the domain level, so that if the user login on any workstation, he will be granted the correct local admin rights on that workstation? Here's what I tried, user 'producao' (id=10003) and group 'Local Admins' (id=10005): # net groupmap list Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> Financeiro Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> Local Admins Here you can see that 'Local Admins' has the correct RID (544). # getent group |grep Admin Admins:*:10002: Local Admins:*:10005:10003 # getent passwd |grep producao producao:*:10003:10003:Produção Colortech:/colortech/homes/producao:/bin/false User 'producao' is a member of 'Local Admins' group (secondary, since I read that BUILTIN groups cannot be a primary group for a user in a windows NT4 domain). # /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech "cn=Local Admins" # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=Local Admins # requesting: ALL # # Local Admins, groups, colortechdp.com.br dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br gidNumber: 10005 displayName: Local Admins sambaGroupType: 5 description: Local Admins cn: Local Admins sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 memberUid: 10003 objectClass: posixGroup objectClass: sambaGroupMapping And the information on the LDAP server seems to be correct, including the sambaGroupType property set to 5, instead of 2. So, what is wrong in here? Or it isn't possible to do it in the domain level? Thanks Gustavo [1] http://www.zimbra.com
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
