Hi,

I have a RHEL 5.6 server with samba3x-3.5.4-0.70 instaled, it acts as a PDC, it 
has OpenLDAP in the same server.  Everything works fine, so far, the windows xp 
and windows 7 machines are inside the domain, and users from the ldap can log 
from their machines.  The thing is that i am trying to create groups, so some 
users can administrate others users, but not all the users.

I know that samba does support administration through usrmng.exe or some other 
windows tools, so the Domain Admins should be able to administrate all the 
user.  I talked to many people and googled around and I understood that the 
samba schema wont support groups of people that administer some users, either 
you are a Domain Admin or Domain User, and Domain Admins have all the 
administrative privileges, maybe I am wrong I tried using the usrmng.exe and 
some other tools over windows 7 and I couldnt make them work so I stop trying 
to manage the users through any Windows Tools.
Is it possible to use Domain Admins to manage only some groups?

Because everyone told me that the above is not possible, I tried another 
approach, with OpenLdap, PHPLDAPAdmin and acls.  (I need to have a graphical 
interface, the people that will manage this groups of users are windows techs, 
so anything from command line like smbldap-tools or anything else seems uber 
complicated)
I created groups on my openldap and with acls the users where able to 
administer some users, it still needs more testing. I was trying to create 
nested groups with Domain Users, and my users but then I thought of the 
following.
Instead of nested groups can I create a sub group of Domain Users, and user 
that belongs to that group will log to the Domain?

I am trying this on a Virtual Machine, but my Windows 7 machine died, and I 
havent being able to test this.

Having an group on my ldap like this

dn: cn=Grupo de Prueba,cn=Domain Users,ou=Group,dc=mydomain,dc=com
objectClass: groupOfNames
objectClass: top
cn: Grupo de Prueba
member: uid=prueba,ou=People,dc=mydomain,dc=com

Will the user prueba be able to log on to the samba Domain? Or the user has to 
be part of the Domain Users directly in order to log on to the Domain.

Thanks,

Juan Diego
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to