[Samba] Rights issue on GPO
mathias dufresne
infractory at gmail.com
Wed Jun 22 13:30:57 UTC 2016
@LPH van Belle
I did tried (and still use) "acl_xattr:ignore system acls = yes" as shown
on the first mail of that thread. And even using that rights errors on GPO
files _are_ an issue. Otherwise that thread won't have been opened of
course : )
Regarding how we decided to workaround almost definitively with that was to
give every users and groups in AD some xID, also those in CN=Builtin and
CN=Users. We also cleaned our idmap.ldb to keep inside only special users /
groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...).
We also add some rsync to keep idmap.ldb synchronized on all our DC, for
these special items have same mapped xID in case they are used (and so
mapped).
Doing that id mapper has no reason to define by itself some xID to users
and groups contained into AD as they already have some xID.
Until now it seems to work fine...
2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com <lingpanda101 at gmail.com>:
> On 6/22/2016 8:53 AM, mj wrote:
>
>>
>>
>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote:
>>
>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like
>>> others?
>>>
>>
>> do you have winbind in /etc/nsswitch.conf?
>>
>> mj
>>
>>
> I also thought winbind was only necessary on member servers.
>
> --
> -James
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list