[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Wed Jun 22 12:51:27 UTC 2016 

On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
>> And dont forget :
>> https://wiki.samba.org/index.php/Idmap_config_ad
>>
>> I also noticed and incorrect mapping, which "looks" like rights 
>> issues like in the thead here. ( it is imo not a right issue.. ) read 
>> on..
>>
>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
>> NTDOMAIN\domain users:x:10000:
>> NTDOMAIN\domain guests:x:10002:
>> NTDOMAIN\domain computers:x:10006:
>> NTDOMAIN\domain controllers:x:3000018:
>> NTDOMAIN\read-only domain controllers:x:3000203:
>>
>> Is conflicting with
>> BUILTIN\administrators:x:3000000:
>> BUILTIN\users:x:3000009:
>> BUILTIN\guests:x:3000015:
>> BUILTIN\account operators:x:3000185:
>> BUILTIN\server operators:x:3000001:
>>
>> Which results in some incorrect mappings.
>>
>> But if you add :     acl_xattr:ignore system acls = yes  to the 
>> Sysvol share.
>>   !!  AND your using the DC's only as DC's. !!
>>
>> Then this incorrect mapping can be ignored, at least im ignoring it,
>> since very thing is tested and works fine.
>>
>> But im thinking of settings a separated range for the BUILDIN
>>
>> A setup something like :
>>
>>          idmap_ldb:use rfc2307 = yes
>>
>>          ## map id's outside to domain to tdb files.
>>          ## use for local (linux only ) users
>>          idmap config * : backend = tdb
>>          idmap config * : range = 2000-9999
>>
>>          ## map ids from the domain and (*) the range may not overlap !
>>          ## the NTDOMAIN range id mappings
>>          idmap config NTDOMAIN : backend = ad
>>          idmap config NTDOMAIN : schema_mode = rfc2307
>>          idmap config NTDOMAIN : range = 10000-2999999
>>
>>       ## map ids from BUILDIN ( LOCAL SYSTEM )
>>       ##
>>          idmap config BUILDIN : backend = ad
>>          idmap config BUILDIN : schema_mode = rfc2307
>>          idmap config BUILDIN : range = 3000000-3999999
>>
>> Sometimes, and if you see from within windows security rights like :
>> NTDOMAIN\administrators
>> Which should be
>> BUILDIN\administrators
>>
>> Anyone any suggestion about setting an extra BUILDIN range for the 
>> Local Computer/System.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
>>> Verzonden: woensdag 22 juni 2016 13:59
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>
>>>
>>>
>>> On 06/22/2016 01:44 PM, mj wrote:
>>>> And then perhaps we also need to set the idmap ranges on the DCs? I
>>>> thought they were only for the domain member servers...
>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>
>>> :-)
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> Why is is when I do a getfacl I do not see the mapping of BUILTIN like 
> others?
>
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/locks/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>

What version of Samba is this ?

Rowland

More information about the samba mailing list