Do you remember this topic?
admin is still fine, but we hit a wall by designing
administrators as the default group in the
admins/group prop under config DB!
administrators is not a domain group, it’s a BUILTIN group. As such it is treated differently by SSSD: it is not available as unix group. This is really a bad thing: it simply does not fit our purpose. I ran a lot of experiments with SSSD and group membership resolution:
administrators can’t work.
There’s another point: the server-manager does not delegate permissions to members of
domain admins, which is a subgroup of
administrators. Only SSSD correctly resolves nested groups. But it can’t work with
administrators! (see bug #5209).
So I started to think about the following changes:
- change the default group defined by
domain admins, which seems reliable.
- in Users & Groups page, hide the
administratorsgroup from AD, because it is not a valid unix group, i.e. cannot be the owner of a shared folder or a shared mailbox.
- fix the bug Domain admins members are not granted full server-manager access · Issue #5209 · NethServer/dev · GitHub
I’m planning to release the default change in the next ISO release (which could be ns7 Final). Existing installations do not need to be fixed, but could be upgraded manually to the new default with
config setprop admins group 'domain admins'
What do you think?
@stephdl: does any of your packages rely on
admins/group? Should we invoke any -update event on them?