Koozali.org: home of the SME Server

Domain Controller

Offline crusader

  • ***
  • 71
  • +0/-0
    • http://www.far-galaxy.de
Domain Controller
« on: October 01, 2004, 08:56:49 AM »
Can someone tell me if there are more posibilities to change the settings for the samba dc, like adding user to administrator group or similar thing's?
If not how can I change these settings otherwise?

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Domain Controller
« Reply #1 on: October 01, 2004, 01:34:47 PM »
Dungog has a contrib for user panel that will let you give a user rights to do just about everything (except join another computer to the domain)

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline gzartman

  • *
  • 305
  • +0/-0
    • LEI Engineering & Surveying
Re: Domain Controller
« Reply #2 on: October 01, 2004, 08:06:37 PM »
Quote from: "crusader"
Can someone tell me if there are more posibilities to change the settings for the samba dc, like adding user to administrator group or similar thing's?
If not how can I change these settings otherwise?


Yes, there certainly is.  Do the following:

1. Create a new user group in the server-manager called "da" and add any users who you want to have domain administrator rights to this group.

2. Open a shell session and log in as root.

3. Make a custom-template dir for smb.conf:  mkdir -p /etc/e-smith/templates-custom/etc/smb.conf

4. At the shell, change dirs to the custom smb.conf dir:  cd  etc/e-smith/templates-custom/etc/smb.conf

5. Create a domain admins template fragment:  pico 11domainAdminGroup

6. Paste the following the pico session:
domain admin group = @da

7. Save the fragment and exit pico.

8. Expand smb.conf:  /sbin/e-smith/expand-template /etc/smb.conf

9. Restart Samba:  /etc/rc.d/init.d/smb restart

OK, you should now be good to go.  Log out of a windows client, then back in again.  You should now have domain admin user rights on that machine.

Greg Zartman
----
Greg J. Zartman
LEI Engineering & Surveying

SME user and community member since 2000.

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Domain Controller
« Reply #3 on: August 24, 2006, 04:28:37 PM »
Quote from: "gzartman"
6. Paste the following the pico session:
domain admin group = @da
As of Samba 3 the "domain admin group" setting is not supported anymore: http://lists.samba.org/archive/samba/2003-September/073602.html

There is however another way to create a group of domain admins: http://lists.samba.org/archive/samba/2004-February/081076.html

[list=1]
  • Create a group and add the suers you want to be domain administrator
  • Get command line access and issue the following command:
    Code: [Select]
    net groupmap add ntgroup="Domain Admins" unixgroup=groupnameFor instance you created a group called "admins" which would result in the following command:
    Code: [Select]
    net groupmap add ntgroup="Domain Admins" unixgroup=admins[/list:o]
    You will probably need to logout of windows and back in again for the privileges to be rolled out.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Domain Controller
« Reply #4 on: August 24, 2006, 04:46:02 PM »
To see a list of all the groups:
Code: [Select]
net rpc group list --user=admin
To see the list of members of a group:
Code: [Select]
net rpc group members "Domain Admins" --user=admin
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Domain Controller
« Reply #5 on: August 25, 2006, 09:38:28 AM »
Quote from: "cactus"
Quote from: "gzartman"
6. Paste the following the pico session:
domain admin group = @da
As of Samba 3 the "domain admin group" setting is not supported anymore: http://lists.samba.org/archive/samba/2003-September/073602.html

There is however another way to create a group of domain admins: http://lists.samba.org/archive/samba/2004-February/081076.html

[list=1]
  • Create a group and add the suers you want to be domain administrator
  • Get command line access and issue the following command:
    Code: [Select]
    net groupmap add ntgroup="Domain Admins" unixgroup=groupnameFor instance you created a group called "admins" which would result in the following command:
    Code: [Select]
    net groupmap add ntgroup="Domain Admins" unixgroup=admins[/list:o]
    You will probably need to logout of windows and back in again for the privileges to be rolled out.
It can be done even better per server-manager:

Create a user group with any name you like but put "Domain Admins" in the group description/Windows name, this will assign this group as Domain Administrators
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Domain Controller
« Reply #6 on: September 05, 2006, 03:50:17 AM »
cactus,
How does this apply to SME7?

Thanks,

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Domain Controller
« Reply #7 on: September 05, 2006, 07:53:37 PM »
Quote from: "stuntshell"
cactus,
How does this apply to SME7?

Thanks,
Do you mean if it also changes the admin user for the server-manager to the members of the domain admins group. Unfortunately not... I have already filed a bug for that, but if you mean user rights on directories that works pretty well, ibays that were normally owned by the admin user seems now to be owned by the domain admins group.

I have not hunted for other issues, but maybe you can adapt the httpd.conf file for the admin interface to change the
Code: [Select]
require user admin
to
Code: [Select]
require group domainadmingroup
(located in the deault template /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/90e-smithAccess20manager)

You can also change the printer admin in the samba configuration files, but I have not fully tested this (for instance installing drivers as a member of the domain admins group other then the default admin user).

As stated before I did not test much, only al little bit on the printer admin group.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline migraineboy

  • 8
  • +0/-0
Domain Controller
« Reply #8 on: December 05, 2006, 08:18:00 PM »
Quote from: "crazybob"
Dungog has a contrib for user panel that will let you give a user rights to do just about everything (except join another computer to the domain)

Bob


Does anyone know which Dungog.net contrib crazybob is referring to?  I am trying to give admin priveledges to a user in a very small office to a client with a 6.5 box that they will not let me upgrade.

Chris G.

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Domain Controller
« Reply #9 on: December 05, 2006, 08:55:48 PM »
This contrib delegates rights for users that need to access the admin panels. I'm not using Dungog's version theres a contrib that works the same.

Snip from Dungog's site:
Delegation
To delegate panels to users on your internal network, open your server-manager > user panel access
Select a user and check the box next to the functions they are allowed to use.

You can select the global user to allow everyone to access specific panels. The userpanel-* type are designed for users, although you may not want to assign all functions. By default the change password and email forwarding are allowed for all users.

To allow access from the internet add the IP address or range to the remote access panel of the server manager.
http://www.dungog.net/sme/panels/User%20Manager%20Panel%20Access.html

Offline migraineboy

  • 8
  • +0/-0
Windows Admin rights
« Reply #10 on: December 05, 2006, 09:53:04 PM »
I should have clarified that I meant to Windows Admin rights (priveleges)...not rights to the server-manager.  

Is there any contrib or how-to to do this in SME 6.5?

Chris G.

Offline bcliburn

  • **
  • 41
  • +0/-0
Domain Controller
« Reply #11 on: December 06, 2006, 02:23:45 AM »
I don't think there is a way to have that sort of granular controll over user rights.  You can however make them a local administrator on each machine but if you have a lot of workstations that might be a pain.