Do you remember this topic?
Well, admin is still fine, but we hit a wall by designing administrators as the default group in the admins/group prop under config DB!
In AD administrators is not a domain group, it’s a BUILTIN group. As such it is treated differently by SSSD: it is not available as unix group. This is really a bad thing: it simply does not fit our purpose. I ran a lot of experiments with SSSD and group membership resolution: administrators can’t work.
There’s another point: the server-manager does not delegate permissions to members of domain admins, which is a subgroup of administrators. Only SSSD correctly resolves nested groups. But it can’t work with administrators! (see bug #5209).
So I started to think about the following changes:
- change the default group defined by
admins/groupprop fromadministratorstodomain admins, which seems reliable. - in Users & Groups page, hide the
administratorsgroup from AD, because it is not a valid unix group, i.e. cannot be the owner of a shared folder or a shared mailbox. - fix the bug Domain admins members are not granted full server-manager access · Issue #5209 · NethServer/dev · GitHub
I’m planning to release the default change in the next ISO release (which could be ns7 Final). Existing installations do not need to be fixed, but could be upgraded manually to the new default with
config setprop admins group 'domain admins'
What do you think?
@stephdl: does any of your packages rely on admins/group? Should we invoke any -update event on them?