[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 7 12:34:17 UTC 2018
Hai,
Sorry to intrude this.. But please read my notes.
> >
> > @Andrew
> > Please guide if we can find any other way to distinguish between
> > group SID and individual user SID to get the access control right
> > with NFS4 ACL plugin. Without this, the plugin is not practically
> > usable in AD environment. Can we tweak winbind configuration to
> > return different uid and gid?
>
> You need to assume that a SID can be both a user and a group, if
> winbind says so. In that case the user component 'owns' the file (if
> it is the owner) and the gid is given group rights.
>
> This also happens in particular for domain admins, which often owns
> files but is of course a group, for group policy in sysvol.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This "asumption" of Andrew is in my opinion wrong.
I'll explain.
I hope he did mean or : DOMAIN\Administrators or ( which is the same as ) BUILTIN\Administrators
But no DOMAIN\Domain Admins is used on sysvol in "FILE/SHARE" rights.
"Domain admins" is member of the above group BUILTIN\Administrators and inherits it rights.
The "FILE/FOLDER" rights on a normal windows server,
run : icacls c:\Windows\SYSVOL which shows.
NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(M,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M,WDAC,WO)
CREATOR OWNER:(OI)(CI)(IO)(F)
Primary it involves these SID's where the samba problem is as far i know.
DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
( looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=13532 )
Where, what, is set by default?
And when you look at the "Linked GPO's" within the AD, there, it shows other rights.
The Default Domain Policy with a GPO editor, it shows for example.
Administrators
Domain Admins ( DOMAIN\Domain Admins )
Enterprise Admins ( DOMAIN\Enterprise Admins)
SYSTEM
(looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=12236)
Beware of the misunderstanding of the
- share rights on sysvol
- file/folder rights in sysvol
- The sysvol rights with the AD.
( looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=11757 )
This is why i use my script to set "correct" rights in samba sysvol and netlogon.
Found here:
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
Which set the windows 2008R2 rights, which i took from my 2008R2 server.
Let hope this info give someone a great idea ;-)
I suggest also, ask Rowland, we discused this already a lot on the samba list.
I know he made some patches for the GPO rights fix also, but i cant find that back in the bugzilla list.
Greetz,
Louis
More information about the samba-technical
mailing list