Re: [Samba] ldap sub groups and Samba
What?!!! Are you trying to do?!!! Why do you want Domain Admins only to manage a few groups? Smbldap-tools is never complicated. If you are only in windows (techs as you mentioned :-)) stay there. I think if you are a administrator you should do more then only have a nice gui and know nothing about a command line and other os then windows. If you need a samba serving the ads tools then go ahead and install samba4. Good luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Christ Schlacta Gesendet: Samstag, 18. Juni 2011 09:00 An: samba@lists.samba.org Betreff: Re: [Samba] ldap sub groups and Samba On 6/16/2011 16:14, Juan Diego Calle wrote: Hi, I have a RHEL 5.6 server with samba3x-3.5.4-0.70 instaled, it acts as a PDC, it has OpenLDAP in the same server. Everything works fine, so far, the windows xp and windows 7 machines are inside the domain, and users from the ldap can log from their machines. The thing is that i am trying to create groups, so some users can administrate others users, but not all the users. I know that samba does support administration through usrmng.exe or some other windows tools, so the Domain Admins should be able to administrate all the user. I talked to many people and googled around and I understood that the samba schema wont support groups of people that administer some users, either you are a Domain Admin or Domain User, and Domain Admins have all the administrative privileges, maybe I am wrong I tried using the usrmng.exe and some other tools over windows 7 and I couldnt make them work so I stop trying to manage the users through any Windows Tools. Is it possible to use Domain Admins to manage only some groups? Because everyone told me that the above is not possible, I tried another approach, with OpenLdap, PHPLDAPAdmin and acls. (I need to have a graphical interface, the people that will manage this groups of users are windows techs, so anything from command line like smbldap-tools or anything else seems uber complicated) I created groups on my openldap and with acls the users where able to administer some users, it still needs more testing. I was trying to create nested groups with Domain Users, and my users but then I thought of the following. Instead of nested groups can I create a sub group of Domain Users, and user that belongs to that group will log to the Domain? I am trying this on a Virtual Machine, but my Windows 7 machine died, and I havent being able to test this. Having an group on my ldap like this dn: cn=Grupo de Prueba,cn=Domain Users,ou=Group,dc=mydomain,dc=com objectClass: groupOfNames objectClass: top cn: Grupo de Prueba member: uid=prueba,ou=People,dc=mydomain,dc=com Will the user prueba be able to log on to the samba Domain? Or the user has to be part of the Domain Users directly in order to log on to the Domain. Thanks, Juan Diego there's no reason they can't be domain users also, and just not have any user admins for that group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap sub groups and Samba
On 6/16/2011 16:14, Juan Diego Calle wrote: Hi, I have a RHEL 5.6 server with samba3x-3.5.4-0.70 instaled, it acts as a PDC, it has OpenLDAP in the same server. Everything works fine, so far, the windows xp and windows 7 machines are inside the domain, and users from the ldap can log from their machines. The thing is that i am trying to create groups, so some users can administrate others users, but not all the users. I know that samba does support administration through usrmng.exe or some other windows tools, so the Domain Admins should be able to administrate all the user. I talked to many people and googled around and I understood that the samba schema wont support groups of people that administer some users, either you are a Domain Admin or Domain User, and Domain Admins have all the administrative privileges, maybe I am wrong I tried using the usrmng.exe and some other tools over windows 7 and I couldnt make them work so I stop trying to manage the users through any Windows Tools. Is it possible to use Domain Admins to manage only some groups? Because everyone told me that the above is not possible, I tried another approach, with OpenLdap, PHPLDAPAdmin and acls. (I need to have a graphical interface, the people that will manage this groups of users are windows techs, so anything from command line like smbldap-tools or anything else seems uber complicated) I created groups on my openldap and with acls the users where able to administer some users, it still needs more testing. I was trying to create nested groups with Domain Users, and my users but then I thought of the following. Instead of nested groups can I create a sub group of Domain Users, and user that belongs to that group will log to the Domain? I am trying this on a Virtual Machine, but my Windows 7 machine died, and I havent being able to test this. Having an group on my ldap like this dn: cn=Grupo de Prueba,cn=Domain Users,ou=Group,dc=mydomain,dc=com objectClass: groupOfNames objectClass: top cn: Grupo de Prueba member: uid=prueba,ou=People,dc=mydomain,dc=com Will the user prueba be able to log on to the samba Domain? Or the user has to be part of the Domain Users directly in order to log on to the Domain. Thanks, Juan Diego there's no reason they can't be domain users also, and just not have any user admins for that group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap sub groups and Samba
Hi, I have a RHEL 5.6 server with samba3x-3.5.4-0.70 instaled, it acts as a PDC, it has OpenLDAP in the same server. Everything works fine, so far, the windows xp and windows 7 machines are inside the domain, and users from the ldap can log from their machines. The thing is that i am trying to create groups, so some users can administrate others users, but not all the users. I know that samba does support administration through usrmng.exe or some other windows tools, so the Domain Admins should be able to administrate all the user. I talked to many people and googled around and I understood that the samba schema wont support groups of people that administer some users, either you are a Domain Admin or Domain User, and Domain Admins have all the administrative privileges, maybe I am wrong I tried using the usrmng.exe and some other tools over windows 7 and I couldnt make them work so I stop trying to manage the users through any Windows Tools. Is it possible to use Domain Admins to manage only some groups? Because everyone told me that the above is not possible, I tried another approach, with OpenLdap, PHPLDAPAdmin and acls. (I need to have a graphical interface, the people that will manage this groups of users are windows techs, so anything from command line like smbldap-tools or anything else seems uber complicated) I created groups on my openldap and with acls the users where able to administer some users, it still needs more testing. I was trying to create nested groups with Domain Users, and my users but then I thought of the following. Instead of nested groups can I create a sub group of Domain Users, and user that belongs to that group will log to the Domain? I am trying this on a Virtual Machine, but my Windows 7 machine died, and I havent being able to test this. Having an group on my ldap like this dn: cn=Grupo de Prueba,cn=Domain Users,ou=Group,dc=mydomain,dc=com objectClass: groupOfNames objectClass: top cn: Grupo de Prueba member: uid=prueba,ou=People,dc=mydomain,dc=com Will the user prueba be able to log on to the samba Domain? Or the user has to be part of the Domain Users directly in order to log on to the Domain. Thanks, Juan Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba