Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs




On Thu, 24 Aug 2017, Rowland Penny via samba wrote:

On Thu, 24 Aug 2017 12:41:36 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:

On 2017-08-24 12:27, Rowland Penny via samba wrote:

I actually used worse words when I found out why I couldn't get my work
on the python code to work. ;-)

Does this apply only to sysvolreset or also when fixing ACLs from
Windows?

On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
idmap.ldb, this makes it able to own files and dirs in sysvol. The
moment you give 'Domain Admins' a gidNumber, you break this mapping and
the group becomes just a group and cannot own anything on a Unix
machine, so my recommendation is to not give the group a gidNumber,
create another group 'Unix Admins' ? give this group a gidNumber and
make this group a member of 'Domain Admins'

So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers running
samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares on the file
servers I see that
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
says to grant SeDiskOperatorPrivilege to the Domain Admins group.

If I follow Rowland's advice above and make a unix admins group, do I still
grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?

I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I want to
be sure.

Also When I create the shares do I set the permissions to root:Unix Admins?

If I do getent group "domain admins" nothing returns. Which I believe is because
Domain Admins does not have a unix GID assigned.

If I do:
(vfs2 pts4) # getent group "unix admins"
unix admins:x:10001:
(vfs2 pts4) #

That works. Since unix admins is a member of domain admins is that good enough?

I am trying very hard to get this right but given all of these special cases
and documentation that gives different advice, it is difficult at best. I would
not have any chance of getting this working without all of the help on this
list.

Thank You!!

Regards,

--
Tom			me@xxxxxxxxxx		Spamtrap address	 		me123@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba