Re: [Samba] samba-tool of delegation of permissions

[Andrew Bartlett]

On Sun, 2013-05-12 at 06:24 -0700, daniel gonzalez wrote:
>
>
> i need a practical example of samba-tool of delegation of
> permissions ,for allow supporters to join machines to the
> domain.
> Use samba 4.0.5
> Thank you very much.
>
>

I think this may be easier done using the Active Directory Users an
Computers Windows GUI tool. There isn't a simple command to do this
yet, as far as I know, but I agree it would be nice if one was written.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Marc Muehlfeld]

Hello Daniel,

Am 12.05.2013 21:50, schrieb Andrew Bartlett:
> On Sun, 2013-05-12 at 06:24 -0700, daniel gonzalez wrote:
>>
>>
>> i need a practical example of samba-tool of delegation of
>> permissions ,for allow supporters to join machines to the
>> domain.
>> Use samba 4.0.5
>> Thank you very much.
>>
>>
>
> I think this may be easier done using the Active Directory Users an
> Computers Windows GUI tool. There isn't a simple command to do this
> yet, as far as I know, but I agree it would be nice if one was written.

For doing it with ADUC, see here:

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions


Regards,
Marc

[Marc Muehlfeld]

Am 13.05.2013 14:53, schrieb daniel gonzalez:
>> For doing it with ADUC, see here:
>>
>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions
>

> Hello Marc, with ADUC don't work computers xp, only 7.


It is working fine here for XP and Win7 in production and my test
environment. The HowTo is from me. So I know, it's working :-)

Have you read the 'Known issues/limitations' on that page
(http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Known_issues.2Flimitations)?

You still need 'acl:search=false' in your smb.conf, even if you run the
latest version.

If it still doesn't work, then please give some more information (error
messages, steps you did, well-known-ACLs reset, etc.). Maybe we can find
out then, what is different in your environment to mine.

[Andrew Bartlett]

On Mon, 2013-05-13 at 15:29 +0200, Marc Muehlfeld wrote:
> Am 13.05.2013 14:53, schrieb daniel gonzalez:
> >> For doing it with ADUC, see here:
> >>
> >> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions
> >
> > Hello Marc, with ADUC don't work computers xp, only 7.
>
>
> It is working fine here for XP and Win7 in production and my test
> environment. The HowTo is from me. So I know, it's working :-)
>
> Have you read the 'Known issues/limitations' on that page
> (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Known_issues.2Flimitations)?
>
> You still need 'acl:search=false' in your smb.conf, even if you run the
> latest version.

If that is the case, after resetting the ACLs or on a fresh provision,
please file a bug, showing how windows does it differently. We match
windows behaviour now, as far as we know.

> If it still doesn't work, then please give some more information (error
> messages, steps you did, well-known-ACLs reset, etc.). Maybe we can find
> out then, what is different in your environment to mine.
>
>
> Regards,
> Marc
>
>
>

--

Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

[Marc Muehlfeld]

Hello Andrew,

Am 19.05.2013 13:39, schrieb Andrew Bartlett:
>> Have you read the 'Known issues/limitations' on that page
>> (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Known_issues.2Flimitations)?
>>
>> You still need 'acl:search=false' in your smb.conf, even if you run the
>> latest version.
>
> If that is the case, after resetting the ACLs or on a fresh provision,
> please file a bug, showing how windows does it differently. We match
> windows behaviour now, as far as we know.

The bug report about that, already exists:
https://bugzilla.samba.org/show_bug.cgi?id=9788

Because I don't have Windows servers, I have no way to find out how
Windows react.

But when I wrote the "Join machines to the Domain as non-Domain-Admin"
Howto, I take over the steps from MS:
http://support.microsoft.com/kb/932455/en-us

That's why I think, samba is still doing something different on
delegation, than MS in that case, if I have to use 'acl:search=false'.


Regards,
Marc

[Andrew Bartlett]

On Mon, 2013-05-20 at 20:04 +0200, Marc Muehlfeld wrote:
> Hello Andrew,
>
> Am 19.05.2013 13:39, schrieb Andrew Bartlett:
> >> Have you read the 'Known issues/limitations' on that page
> >> (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Known_issues.2Flimitations)?
> >>
> >> You still need 'acl:search=false' in your smb.conf, even if you run the
> >> latest version.
> >
> > If that is the case, after resetting the ACLs or on a fresh provision,
> > please file a bug, showing how windows does it differently. We match
> > windows behaviour now, as far as we know.
>
> The bug report about that, already exists:
> https://bugzilla.samba.org/show_bug.cgi?id=9788
>
> Because I don't have Windows servers, I have no way to find out how
> Windows react.

You can download trail versions of Windows 2008r2 for testing and
evaluation purposes.

> But when I wrote the "Join machines to the Domain as non-Domain-Admin"
> Howto, I take over the steps from MS:
> http://support.microsoft.com/kb/932455/en-us
>
> That's why I think, samba is still doing something different on
> delegation, than MS in that case, if I have to use 'acl:search=false'.

We need far, far more detail - using this ACL, this attribute is
visible/modified on windows but not on Samba - to be able to address
this.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org