Topic: domain admin and "local" admin privileges

[Mophilly]

In the documentation there is a description on how to create an admin group. In the description it says

When users who are members of this group next log in to a Windows workstation that is joined to the SME Server domain, they will have Local Administrator rights automatically.

I do not need to administer workstations. FTR, there are Windows, Mac and Linux workstations in the LAN.

I would like to delegate system admin responsibilities to another person in my group. We need to have at least two people able to run software updates, assign user permissions and so on, on the SME systems. I prefer to "bless" selected accounts rather than share root credentials.

Will setting up a "domain admins" group as described accomplish this?

If not, would using "plain old" linux commands to amend the appropriate group membership cause problems with SME updates later on?

[janet]

Mophilly

That applies to Windows workstations as it clearly says (ie login to Windows).

You want to install smeserver  user manager by doing
yum install --enablerepo=smecontribs smeserver-userpanel
(all on one line)

IIRC some other dependencies will be installed
Then log in to server manager and setup which users have access to which panels, then the user(s) can log in to user panel with their own login name & perform the admin level functions
https://yourdomain/user-manager

[Mophilly]

Thank you, mary.

Setting aside my concern about unwanted access to local windows systems, I installed the package in SME 8.0 beta. Seems to work fine and allows a fair portion what I am seeking. Unfortunately, it doesn't cover all of the problem I need to resolve.

As a polite suggestion, the documentation team might consider placing Windows specific instructions under Windows specific headings. In this case, the quote is in a section called "Setting admin rights". I would have skipped it entirely if the heading was "Setting Windows admin rights".

[janet]

Mophilly

I installed the package in SME 8.0 beta. Seems to work fine and allows a fair portion what I am seeking. Unfortunately, it doesn't cover all of the problem I need to resolve.

Assume you mean smeserver-userpanel ?
It does everything that server manager does, so what does it not resolve for you ?

In this case, the quote is in a section called "Setting admin rights". I would have skipped it entirely if the heading was "Setting Windows admin rights".

There are lot's of documentation on wiki !
Please provide link to the exact location if you want something fixed.
The best way to effect/request changes is to lodge a bug report, against the wiki category rather than a bug with SME. If you post such things in the forum then someone else will still need to read it and have the inclination to post the details as a bug report anyway. Thanks.

[Mophilly]

Oh, sorry... too many interruptions today.

Yes, I was writing about smeserver-userpanel.

It does allows access to yum, logs and groups, among other things. All good, and most certainly will allow me to delegate the bulk of the admin tasks. I have on my list a couple of things that are in the area of basic server configuration. Updating the db properties for custom iBay configs to isolate upload dir's is one example. Adding new contribs is on that list too.

Regarding submitting a fault report for doc updates... you are right and I should know better than put that sort of comment here. I apologize for not doing so in the first place.

The suggestion is now logged as bug 6934; http://bugs.contribs.org/show_bug.cgi?id=6934

[johnp]

You may also want to look at the Remote User Access contrib

[Mophilly]

You may also want to look at the Remote User Access contrib

Thanks, johnp. I have used the remote user access contrib in the past. A fine contrib, but not quite what I am looking for this time.

[janet]

Mophilly

I have on my list a couple of things that are in the area of basic server configuration. Updating the db properties for custom iBay configs to isolate upload dir's is one example. Adding new contribs is on that list too.

You can add software contribs using the existing panel in server manager, so allow users to have access via user manager.

Possibly you want to grant access to the command line interface, so add specific users to /etc/sudoers and specify what rights they have.
Google for
su command
and
sudoer users
for more details
Remember to setup appropriate path statements for each user

Also see this thread for remote access basics
http://forums.contribs.org/index.php/topic,40318.msg186274.html#msg186274

[johnp]

Possibly you want to grant access to the command line interface, so add specific users to /etc/sudoers and specify what rights they have.
Google for
su command
and
sudoer users
for more details
Remember to setup appropriate path statements for each user

Kind of where I was going with the other contrib

[Mophilly]

You can add software contribs using the existing panel in server manager, so allow users to have access via user manager.

I see that with remote user access installed I can allow selected users to run the software update. What I don't see is how to add contribs. For example, when I enabled "manage individual packages" and review the list of available packages, I cannot find one that might be the remote user access contrib. Perhaps it is all there but I don't know the names of the necessary components. I only know it as "smeserver-remoteuseraccess".

With "manage individual packages" disabled, I see quite a few repos, but I don't see a way to add a new contrib such as remote user access.

[janet]

Mophilly

All contribs are not yet in smecontribs (for sme8) repo. Therefore you need to add sme7contribs repo and have the visible property set to yes for it to appear in server manager. Details of how to create the sme7contribs repo are in the sm8 wiki pages, also referred to many times recently in these forums.

[Mophilly]

Thank you, mary. I will follow up on that.

To help any reader who may come across this thread, I found that the user panel and remote user contribs do indeed cover most of what my group needs. My initial review of these contribs was insufficient. I had to read the documentation more closely to see how it fits together.