Re: [Samba] sysvolreset doesn't reset all ACLs
- Date: Thu, 31 Aug 2017 18:59:21 -0400 (EDT)
- From: Tom Diehl via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sysvolreset doesn't reset all ACLs
On Thu, 31 Aug 2017, Rowland Penny via samba wrote:
On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
On Thu, 24 Aug 2017 12:41:36 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
On 2017-08-24 12:27, Rowland Penny via samba wrote:
I actually used worse words when I found out why I couldn't get my
work on the python code to work. ;-)
Does this apply only to sysvolreset or also when fixing ACLs from
On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
idmap.ldb, this makes it able to own files and dirs in sysvol. The
moment you give 'Domain Admins' a gidNumber, you break this mapping
and the group becomes just a group and cannot own anything on a Unix
machine, so my recommendation is to not give the group a gidNumber,
create another group 'Unix Admins' ? give this group a gidNumber and
make this group a member of 'Domain Admins'
So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares
on the file servers I see that
says to grant SeDiskOperatorPrivilege to the Domain Admins group.
If I follow Rowland's advice above and make a unix admins group, do I
still grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?
I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I
want to be sure.
Basically, wherever the wikipage mentions 'Domain Admins' use 'Unix
Admins' instead (you don't have to use a group called 'Unix Admins', it
just seemed a logical name to me), so yes, you give both a gidNumber
and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to
make 'Unix Admins' a member of 'Domain Admins'
Also When I create the shares do I set the permissions to root:Unix
Yes, or 'Unix Admins' will not be able to do anything.
If I do getent group "domain admins" nothing returns. Which I believe
is because Domain Admins does not have a unix GID assigned.
Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used
(as an owner) by other GPOs you will add.
If I do:
(vfs2 pts4) # getent group "unix admins"
(vfs2 pts4) #
That works. Since unix admins is a member of domain admins is that
Thanks for the quick response.
One more question, when I created the Unix Admins group using ADUC, I noticed
that there was a place to add members on the Unix attributes tab. Should I be
adding users there, on the members tab or both?
Tom me@xxxxxxxxxx Spamtrap address me123@xxxxxxxxxx
To unsubscribe from this list go to the following URL and read the