Tested and also working on NethServer 6.x
Just a note about sudo delegation for both versions: by default users have no shell unless they are assigned ssh access.
# getent passwd user1 # ssh access allowed
user1:x:5000:5000:User One:/var/lib/nethserver/home/user1:/bin/bash
# getent passwd user2 # default (no shell)
user2:x:5002:5002:User Two:/var/lib/nethserver/home/user2:/bin/false
Yes marc it is a good remark i made myself when i found that once you created a user with the sambaAD you cannot add anymore the shell access.
You have to destroy the user account (and all its data) then recreate it with the shell access enabled)
@davidep said that a new feature with gpo must be created for this
So for ns7 a this point we cannot do something except documenting it in the module that sudo needs (of course) a shell access.
For ns6 I can add an action to the db accounts and set the shell property to enabled if the sudo is enabled.
I can’t install from:
yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.3-1.ns7.sdl.noarch.rpm
Where to download de lastest version?
Thanks.
Hi,
yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.5-1.ns7.sdl.noarch.rpm
yum install nethserver-delegation
Then you should get nethserver-delegation 0.1.5-1.ns7.sdl…
Hi it worked fine, but is posible to block the user to change the admin account?
It works fine but si so buggy, in few months willbe perfect
what do you mean ?
you must trust the user with the delegation 
please what is buggy, what enhancements we can bring
Excuse my English is so bad.
First: is that the delegated user can change admin account settings, how is posible to block the admin account so the delegated user can not touch the admin settings.
So I can delegate safely to a user to add and delete acounts for mail (is an example)
The bug was the browser, I changed de URL adress from zero, and now is working so well.
How can we move modules like this out of “testing” stage? So we can call them “stable” and close this topic?
@dev_team any hint?
not (yet) possible, I just change the Json authorisation of nethgui, you use all the official modules but delegated to your user. In fact it could be a new feature request that the admin & the administrator users are not deletable however this modification is out of my hand, because there are official modules.
I think moving the package in nethforge repository (http://packages.nethserver.org/nethserver/7.3.1611/nethforge/) should be enough.
new version of nethserver-delegation
yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.7-1.ns7.sdl.noarch.rpm
the new features are
* Sat Sep 09 2017 stephane de LAbrusse <stephdl@de-labrusse.fr> 0.1.7-1.ns7
- ldif file creation with a random name
- chmod ldif file 0600
- remove the key name when the user/group is deleted
* Fri Sep 08 2017 stephane de Labrusse <stephdl@de-labrusse.fr> 0.1.6-1.ns7
- Automatic activation of the shell access if the sudo power is enabled
Now when you set the sudo privilege, automatically you activate the user’s shell access, it works but I would confirm it on several servers before to release it.
Kudo to @mrmarkuz
Awesome! I can confirm that it works on 2 of my Nethservers. 
But it only works in one direction: Enabling sudo changes users shell to /bin/bash, but disabling does not change it back. A user sudoenabled once has SSH access forever, even if disabling sudo. So I think what’s missing is the possibility to change SSH access in “Users and Groups”. So delegate module would be able to revert to the default setting in “Users and Groups” but may override it when user is delegated. Just in idea…
Yeah it is the official behaviour, if the shell access is allowed to a user, you cannot remove it when you use the samba AD accoount provider, or you must delete the user and recreate it.
It makes me think that it is something not finished @dev_team
Indeed I could remove the bash access myself in the module, or wait to see if a PR is needed in the core
This would be the fastest solution and ok for me, but when I really think about it the best approach would be to change it in “Users and Groups” module, because it is not logical or intuitive to say: "When creating a user you are able to set SSH access once, but for disabling you have to install another module."
Another approach would be to have the ability to change SSH access only in your delegation module…so a newly created user has no SSH access per default. Again just ideas…
It’s the desired behavior, since we do not want to directly edit the AD using any LDAP client.
Actually it is a limitation of samba-tool.
By the way, I just added a card to NethServer project, but we need to review it and decide if it worth implementing it.
Please more tests needed also with openldap (nethserver-directory)
Did another test with Samba AD(ldap will follow) and noticed just 2 points:
good catch the ‘Admin todo messages’ must be delegated also, probably I need to delegate it by default. WHen you delegate all panels you don’t have this bug (because ‘Admin todo messages’ is delegated)