Re: [Samba] sysvolreset doesn't reset all ACLs
- Date: Fri, 1 Sep 2017 08:20:02 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sysvolreset doesn't reset all ACLs
On Thu, 31 Aug 2017 18:59:21 -0400 (EDT)
> On Thu, 31 Aug 2017, Rowland Penny via samba wrote:
> > On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
> > me@xxxxxxxxxx wrote:
> >> On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
> >>> On Thu, 24 Aug 2017 12:41:36 +0200
> >>> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>> I actually used worse words when I found out why I couldn't get my
> >>> work on the python code to work. ;-)
> >>>> Does this apply only to sysvolreset or also when fixing ACLs from
> >>>> Windows?
> >>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> >>> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> >>> moment you give 'Domain Admins' a gidNumber, you break this
> >>> mapping and the group becomes just a group and cannot own
> >>> anything on a Unix machine, so my recommendation is to not give
> >>> the group a gidNumber, create another group 'Unix Admins' ? give
> >>> this group a gidNumber and make this group a member of 'Domain
> >>> Admins'
> >> So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
> >> running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up
> >> shares on the file servers I see that
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> says to grant SeDiskOperatorPrivilege to the Domain Admins group.
> >> If I follow Rowland's advice above and make a unix admins group,
> >> do I still grant SeDiskOperatorPrivilege to Domain Admins or do I
> >> grant SeDiskOperatorPrivilege to Unix Admins?
> >> I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege
> >> but I want to be sure.
> > Basically, wherever the wikipage mentions 'Domain Admins' use 'Unix
> > Admins' instead (you don't have to use a group called 'Unix
> > Admins', it just seemed a logical name to me), so yes, you give
> > both a gidNumber and 'SeDiskOperatorPrivilege' to 'Unix Admins',
> > you will also need to make 'Unix Admins' a member of 'Domain Admins'
> >> Also When I create the shares do I set the permissions to root:Unix
> >> Admins?
> > Yes, or 'Unix Admins' will not be able to do anything.
> >> If I do getent group "domain admins" nothing returns. Which I
> >> believe is because Domain Admins does not have a unix GID assigned.
> > Good, whilst 'Domain Admins' isn't used by the default GPOs, it is
> > used (as an owner) by other GPOs you will add.
> >> If I do:
> >> (vfs2 pts4) # getent group "unix admins"
> >> unix admins:x:10001:
> >> (vfs2 pts4) #
> >> That works. Since unix admins is a member of domain admins is that
> >> good enough?
> > Yes.
> Thanks for the quick response.
> One more question, when I created the Unix Admins group using ADUC, I
> noticed that there was a place to add members on the Unix attributes
> tab. Should I be adding users there, on the members tab or both?
You can add members on the Unix attributes tab, but all this will do is
to give you some extra attributes in AD that nothing uses ;-)
To unsubscribe from this list go to the following URL and read the