Re: [Samba] sysvolreset doesn't reset all ACLs
- Date: Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
- From: Tom Diehl via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sysvolreset doesn't reset all ACLs
On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
On Thu, 24 Aug 2017 12:41:36 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
On 2017-08-24 12:27, Rowland Penny via samba wrote:
I actually used worse words when I found out why I couldn't get my work
on the python code to work. ;-)
Does this apply only to sysvolreset or also when fixing ACLs from
On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
idmap.ldb, this makes it able to own files and dirs in sysvol. The
moment you give 'Domain Admins' a gidNumber, you break this mapping and
the group becomes just a group and cannot own anything on a Unix
machine, so my recommendation is to not give the group a gidNumber,
create another group 'Unix Admins' ? give this group a gidNumber and
make this group a member of 'Domain Admins'
So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers running
samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares on the file
servers I see that
says to grant SeDiskOperatorPrivilege to the Domain Admins group.
If I follow Rowland's advice above and make a unix admins group, do I still
grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?
I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I want to
Also When I create the shares do I set the permissions to root:Unix Admins?
If I do getent group "domain admins" nothing returns. Which I believe is because
Domain Admins does not have a unix GID assigned.
If I do:
(vfs2 pts4) # getent group "unix admins"
(vfs2 pts4) #
That works. Since unix admins is a member of domain admins is that good enough?
I am trying very hard to get this right but given all of these special cases
and documentation that gives different advice, it is difficult at best. I would
not have any chance of getting this working without all of the help on this
Tom me@xxxxxxxxxx Spamtrap address me123@xxxxxxxxxx
To unsubscribe from this list go to the following URL and read the