Change the default admins group

Do you remember this topic?

Well, admin is still fine, but we hit a wall by designing administrators as the default group in the admins/group prop under config DB!

In AD administrators is not a domain group, it’s a BUILTIN group. As such it is treated differently by SSSD: it is not available as unix group. This is really a bad thing: it simply does not fit our purpose. I ran a lot of experiments with SSSD and group membership resolution: administrators can’t work.

There’s another point: the server-manager does not delegate permissions to members of domain admins, which is a subgroup of administrators. Only SSSD correctly resolves nested groups. But it can’t work with administrators! (see bug #5209).

So I started to think about the following changes:

  • change the default group defined by admins/group prop from administrators to domain admins, which seems reliable.
  • in Users & Groups page, hide the administrators group from AD, because it is not a valid unix group, i.e. cannot be the owner of a shared folder or a shared mailbox.
  • fix the bug

I’m planning to release the default change in the next ISO release (which could be ns7 Final). Existing installations do not need to be fixed, but could be upgraded manually to the new default with

config setprop admins group 'domain admins'

What do you think?

@stephdl: does any of your packages rely on admins/group? Should we invoke any -update event on them?

No I don’t refer to the group admins, only on the admin user, but I can name it otherwise. I just want it is consistent between Ldap and Samba4 AD

why not a migrate fragment to do the fix ?


Because existing systems cannot be changed unconditionally. Only the sysadmin can decide.

Existing OpenLDAP account providers can continue to use the old default safely.

AD providers should better be fixed manually, by setting the prop and moving existing accounts from administrators to domain admins. But I’m not sure it can be done both automatically and safely.

If the only admin is “admin” there are no problems though. Things should be evaluated only if other member of administrators are defined.