Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs




On Thu, 24 Aug 2017 14:15:53 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On 2017-08-24 13:00, Rowland Penny via samba wrote:
> > On Thu, 24 Aug 2017 12:41:36 +0200
> > Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>> On Thu, 24 Aug 2017 12:03:42 +0200
> >>> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >>>
> >>>>
> >>>> Where does the error come from, and why doesn't sysvolreset fix
> >>>> it?
> >>>>
> >>>
> >>> Mainly because (from my testing) sysvolcheck/sysvolreset is
> >>> broken. I do not write 'C' code and the problem seems to be in
> >>> set_nt_acl from source3/smbd/posix_acls.c 
> >>> It doesn't set the correct ACL.
> >>>
> >>> I have opened a bug for this:
> >>>
> >>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> >>
> >> Ah, crap.
> > 
> > I actually used worse words when I found out why I couldn't get my
> > work on the python code to work. ;-)
> > 
> >>
> >>> Even when this gets fixed, the python code will need work, because
> >>> it doesn't do what windows does, also anybody who has set a
> >>> gidNumber on Domain Admins, will need to remove it, the group
> >>> needs to own things in sysvol and with a gidNumber it cannot.
> >>
> >> Does this apply only to sysvolreset or also when fixing ACLs from
> >> Windows?
> > 
> > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> > idmap.ldb, this makes it able to own files and dirs in sysvol. The
> > moment you give 'Domain Admins' a gidNumber, you break this mapping
> > and the group becomes just a group and cannot own anything on a Unix
> > machine, so my recommendation is to not give the group a gidNumber,
> > create another group 'Unix Admins' ? give this group a gidNumber and
> > make this group a member of 'Domain Admins'
> 
> Does removing the gidNumber retroactively allow it to work?
> 
> (That is, once I figured out how to reset the ACLs from within
> Windows.)
> 

It should, idmap.ldb works on a first come basis, so the next time
Domain Admins connects it should get issued with a new xidNumber.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba