Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs




On Thu, 31 Aug 2017, Rowland Penny via samba wrote:

On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
me@xxxxxxxxxx wrote:

On Thu, 24 Aug 2017, Rowland Penny via samba wrote:

On Thu, 24 Aug 2017 12:41:36 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:

On 2017-08-24 12:27, Rowland Penny via samba wrote:

I actually used worse words when I found out why I couldn't get my
work on the python code to work. ;-)

Does this apply only to sysvolreset or also when fixing ACLs from
Windows?

On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
idmap.ldb, this makes it able to own files and dirs in sysvol. The
moment you give 'Domain Admins' a gidNumber, you break this mapping
and the group becomes just a group and cannot own anything on a Unix
machine, so my recommendation is to not give the group a gidNumber,
create another group 'Unix Admins' ? give this group a gidNumber and
make this group a member of 'Domain Admins'

So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares
on the file servers I see that
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
says to grant SeDiskOperatorPrivilege to the Domain Admins group.

If I follow Rowland's advice above and make a unix admins group, do I
still grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?

I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I
want to be sure.

Basically, wherever the wikipage  mentions 'Domain Admins' use 'Unix
Admins' instead (you don't have to use a group called 'Unix Admins', it
just seemed a logical name to me), so yes, you give both a gidNumber
and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to
make 'Unix Admins' a member of 'Domain Admins'


Also When I create the shares do I set the permissions to root:Unix
Admins?

Yes, or 'Unix Admins' will not be able to do anything.


If I do getent group "domain admins" nothing returns. Which I believe
is because Domain Admins does not have a unix GID assigned.

Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used
(as an owner) by other GPOs you will add.


If I do:
(vfs2 pts4) # getent group "unix admins"
unix admins:x:10001:
(vfs2 pts4) #

That works. Since unix admins is a member of domain admins is that
good enough?

Yes.

Thanks for the quick response.

One more question, when I created the Unix Admins group using ADUC, I noticed
that there was a place to add members on the Unix attributes tab. Should I be
adding users there, on the members tab or both?

Regards,.

--
Tom			me@xxxxxxxxxx		Spamtrap address	 		me123@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba