[Samba] Rights issue on GPO

lingpanda101 at gmail.com lingpanda101 at gmail.com
Wed Jun 22 12:44:18 UTC 2016 

On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
> And dont forget :
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> I also noticed and incorrect mapping, which "looks" like rights issues like in the thead here. ( it is imo not a right issue.. ) read on..
>
> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
> NTDOMAIN\domain users:x:10000:
> NTDOMAIN\domain guests:x:10002:
> NTDOMAIN\domain computers:x:10006:
> NTDOMAIN\domain controllers:x:3000018:
> NTDOMAIN\read-only domain controllers:x:3000203:
>
> Is conflicting with
> BUILTIN\administrators:x:3000000:
> BUILTIN\users:x:3000009:
> BUILTIN\guests:x:3000015:
> BUILTIN\account operators:x:3000185:
> BUILTIN\server operators:x:3000001:
>
> Which results in some incorrect mappings.
>
> But if you add : 	acl_xattr:ignore system acls = yes  to the Sysvol share.
>   !!  AND your using the DC's only as DC's. !!
>
> Then this incorrect mapping can be ignored, at least im ignoring it,
> since very thing is tested and works fine.
>
> But im thinking of settings a separated range for the BUILDIN
>
> A setup something like :
>
>          idmap_ldb:use rfc2307 = yes
>
>          ## map id's outside to domain to tdb files.
>          ## use for local (linux only ) users
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-9999
>
>          ## map ids from the domain and (*) the range may not overlap !
>          ## the NTDOMAIN range id mappings
>          idmap config NTDOMAIN : backend = ad
>          idmap config NTDOMAIN : schema_mode = rfc2307
>          idmap config NTDOMAIN : range = 10000-2999999
>
> 	  ## map ids from BUILDIN ( LOCAL SYSTEM )
> 	  ##
>          idmap config BUILDIN : backend = ad
>          idmap config BUILDIN : schema_mode = rfc2307
>          idmap config BUILDIN : range = 3000000-3999999
>
> Sometimes, and if you see from within windows security rights like :
> NTDOMAIN\administrators
> Which should be
> BUILDIN\administrators
>
> Anyone any suggestion about setting an extra BUILDIN range for the Local Computer/System.
>
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
>> Verzonden: woensdag 22 juni 2016 13:59
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Rights issue on GPO
>>
>>
>>
>> On 06/22/2016 01:44 PM, mj wrote:
>>> And then perhaps we also need to set the idmap ranges on the DCs? I	
>>> thought they were only for the domain member servers...
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>
>> :-)
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Why is is when I do a getfacl I do not see the mapping of BUILTIN like 
others?

getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

-- 
-James

More information about the samba mailing list