[Samba] Rights issue on GPO

L.P.H. van Belle belle at bazuin.nl
Wed Jun 22 12:19:21 UTC 2016 

And dont forget : 
https://wiki.samba.org/index.php/Idmap_config_ad 

I also noticed and incorrect mapping, which "looks" like rights issues like in the thead here. ( it is imo not a right issue.. ) read on.. 

NTDOMAIN\enterprise read-only domain controllers:x:3000202:
NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
NTDOMAIN\domain users:x:10000:
NTDOMAIN\domain guests:x:10002:
NTDOMAIN\domain computers:x:10006:
NTDOMAIN\domain controllers:x:3000018:
NTDOMAIN\read-only domain controllers:x:3000203:

Is conflicting with 
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000015:
BUILTIN\account operators:x:3000185:
BUILTIN\server operators:x:3000001:

Which results in some incorrect mappings. 

But if you add : 	acl_xattr:ignore system acls = yes  to the Sysvol share. 
 !!  AND your using the DC's only as DC's. !! 

Then this incorrect mapping can be ignored, at least im ignoring it, 
since very thing is tested and works fine. 

But im thinking of settings a separated range for the BUILDIN

A setup something like :  

        idmap_ldb:use rfc2307 = yes

        ## map id's outside to domain to tdb files.
        ## use for local (linux only ) users
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        ## map ids from the domain and (*) the range may not overlap !
        ## the NTDOMAIN range id mappings
        idmap config NTDOMAIN : backend = ad
        idmap config NTDOMAIN : schema_mode = rfc2307
        idmap config NTDOMAIN : range = 10000-2999999

	  ## map ids from BUILDIN ( LOCAL SYSTEM ) 
	  ##
        idmap config BUILDIN : backend = ad
        idmap config BUILDIN : schema_mode = rfc2307
        idmap config BUILDIN : range = 3000000-3999999

Sometimes, and if you see from within windows security rights like : 
NTDOMAIN\administrators 
Which should be 
BUILDIN\administrators

Anyone any suggestion about setting an extra BUILDIN range for the Local Computer/System.



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> Verzonden: woensdag 22 juni 2016 13:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
> 
> 
> 
> On 06/22/2016 01:44 PM, mj wrote:
> >
> > And then perhaps we also need to set the idmap ranges on the DCs? I	
> > thought they were only for the domain member servers...
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> :-)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list