[Samba] Rights issue on GPO

Wed Jun 22 13:08:44 UTC 2016

On 6/22/2016 8:51 AM, Rowland penny wrote:
> On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
>>> And dont forget :
>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>
>>> I also noticed and incorrect mapping, which "looks" like rights 
>>> issues like in the thead here. ( it is imo not a right issue.. ) 
>>> read on..
>>>
>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
>>> NTDOMAIN\domain users:x:10000:
>>> NTDOMAIN\domain guests:x:10002:
>>> NTDOMAIN\domain computers:x:10006:
>>> NTDOMAIN\domain controllers:x:3000018:
>>> NTDOMAIN\read-only domain controllers:x:3000203:
>>>
>>> Is conflicting with
>>> BUILTIN\administrators:x:3000000:
>>> BUILTIN\users:x:3000009:
>>> BUILTIN\guests:x:3000015:
>>> BUILTIN\account operators:x:3000185:
>>> BUILTIN\server operators:x:3000001:
>>>
>>> Which results in some incorrect mappings.
>>>
>>> But if you add :     acl_xattr:ignore system acls = yes  to the 
>>> Sysvol share.
>>>   !!  AND your using the DC's only as DC's. !!
>>>
>>> Then this incorrect mapping can be ignored, at least im ignoring it,
>>> since very thing is tested and works fine.
>>>
>>> But im thinking of settings a separated range for the BUILDIN
>>>
>>> A setup something like :
>>>
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>>          ## map id's outside to domain to tdb files.
>>>          ## use for local (linux only ) users
>>>          idmap config * : backend = tdb
>>>          idmap config * : range = 2000-9999
>>>
>>>          ## map ids from the domain and (*) the range may not overlap !
>>>          ## the NTDOMAIN range id mappings
>>>          idmap config NTDOMAIN : backend = ad
>>>          idmap config NTDOMAIN : schema_mode = rfc2307
>>>          idmap config NTDOMAIN : range = 10000-2999999
>>>
>>>       ## map ids from BUILDIN ( LOCAL SYSTEM )
>>>       ##
>>>          idmap config BUILDIN : backend = ad
>>>          idmap config BUILDIN : schema_mode = rfc2307
>>>          idmap config BUILDIN : range = 3000000-3999999
>>>
>>> Sometimes, and if you see from within windows security rights like :
>>> NTDOMAIN\administrators
>>> Which should be
>>> BUILDIN\administrators
>>>
>>> Anyone any suggestion about setting an extra BUILDIN range for the 
>>> Local Computer/System.
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
>>>> Verzonden: woensdag 22 juni 2016 13:59
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>>
>>>>
>>>>
>>>> On 06/22/2016 01:44 PM, mj wrote:
>>>>> And then perhaps we also need to set the idmap ranges on the DCs? I
>>>>> thought they were only for the domain member servers...
>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>>
>>>> :-)
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> Why is is when I do a getfacl I do not see the mapping of BUILTIN 
>> like others?
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: usr/local/samba/var/locks/sysvol/
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx
>> user:3000001:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000001:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>
> What version of Samba is this ?
>
> Rowland
>
>

samba -V
Version 4.4.4


-- 
-James