Web lists-archives.com

Re: [Samba] idmap problems




On Tue, 8 Jan 2019 08:42:40 +0000
Rob Mason <rob@xxxxxxxxxxxx> wrote:

> 
> <snip>
> 
> Hi Rowland - I've spent the past few days going over the wiki and
> mailing lists. I think I've got the hang of idmaps. May I clarify a
> couple of things:
> 
> ~ I have two DC's and one large fileserver (member). I'm using the
> 'ad' backend. ~ The only only windows group that needs a gidNumber
> attribute is Domain Users to map this across to the member server. ~

Yes

> Other standard domain groups shouldn't be mapped across, especially
> Domain Admins(!) due to e.g.  sysvol  ownership ~ 

There is absolutely no need to give any windows user or group a
uidNumber or gidNumber, unless you want them to be also a Unix user or
group. None of the 'Well Know SIDs' needs to be a Unix user or group.

>I may add my own domain user/group to the DC's and add uid/gid to the attributes
> (avoiding overlapping ranges between domains, and avoiding the
> standard xid 3000000 range for builtin accounts). 

Yes, as I said above, adding a uidNumber or gidNumber to a Windows user
or group turns them into a Unix user or group, provided you use the
'ad' backend on Unix domain members.

>~ I use the idmap parameters in smb.conf on the member server to map
> the newly added users/groups across to the member server
> 
> I think this is correct and my domain seems healthy. All good!.

Good ;-)

> 
> My one remaining question concerns examples presented in the wiki -
> they routinely use 'Domain Admin' as an example for aspects such as
> setting up shares and permissions. I think this is where I have
> become unstuck in the past. If I setup the domain as per my
> understanding, Domain Admins cannot be used as in the example given
> in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> because its gid is not mapped (and should not typically be mapped).

I didn't write that and it is from experiments in trying to fix
sysvolreset that lead me to the conclusion that giving Domain Admins a
gidNumber was a BAD idea, it just turned it into a group and a group
cannot own things on Unix.

> 
> You gave me some good alternative advice, which I have used in my new
> domain, to create new admin groups that are members of Domain Admins.
> These new admin groups are given gids, and all is good. But I can't
> help thinking that example in the wiki is mis-leading?? It seems that
> anyone who follows this example with a member server will experience
> the gid mapping issues...

I will fix the wiki, as soon as I can

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba