Re: [Samba] Problem sysvolreset
- Date: Mon, 20 Mar 2017 16:36:34 +0100
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Problem sysvolreset
Im questioning this because of the following.
What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
There should not be any "domain admins" at all on sysvol share and security rights.
But to overcome the problem explained below.
You can use :
acl_xattr:ignore system acls = yes
And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients.
Set : acl_xattr:ignore system acls = yes
In the share sysvol and/or netlogon
Now in addition, as told, if setup correcly,
you dont see any "Domain Admins" on sysvol.
Sysvol Share permissions set to
"Authenticated Users" Full Control.
DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll
And for the folder setttings.
CREATOR OWNER Special rights.
Authenticated Users Read
SYSTEM Full control.
DOMAIN\Administrators R&E, LFC, READ, WRITE
DOMAIN\Server Operators R&E, LFC, READ
Now its no problem to give these a gid anymore.
And as bjorn suggested, you do give the groups an id.
And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again.
And all my servers run with : idmap_ldb:use rfc2307
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Rowland Penny via
> Verzonden: maandag 20 maart 2017 15:44
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Problem sysvolreset
> On Mon, 20 Mar 2017 15:27:33 +0100
> Björn JACKE via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> > > It is my recommendation to not give Domain Admins a gidNumber and
> > > not to run sysvolreset if you add any GPOs.
> > anybody who uses idmap ad on a samba member server should give domain
> > users and domain admins a gidnumber actually. This does not affect
> > sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
> > what I would not recommend to do.
> > Björn
> Hi Bjorn,
> You can recommend not doing something until you are blue in the face,
> but you will not stop people doing it. ;-)
> If you give Domain Admins a gidNumber, it breaks the mapping in
> idmap.ldb and stops Domain Admins being able to own files and dirs in
> sysvol and Domain Admins needs to own files and dirs in sysvol.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the