[Samba] Rights issue on GPO

lingpanda101 at gmail.com lingpanda101 at gmail.com
Wed Jun 22 13:36:51 UTC 2016 

On 6/22/2016 9:27 AM, L.P.H. van Belle wrote:
> And what i dont see,, what is your "current" smb.conf ?
>
> Greetz.
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> lingpanda101 at gmail.com
>> Verzonden: woensdag 22 juni 2016 15:09
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Rights issue on GPO
>>
>> On 6/22/2016 8:51 AM, Rowland penny wrote:
>>> On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
>>>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
>>>>> And dont forget :
>>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>>
>>>>> I also noticed and incorrect mapping, which "looks" like rights
>>>>> issues like in the thead here. ( it is imo not a right issue.. )
>>>>> read on..
>>>>>
>>>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
>>>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
>>>>> NTDOMAIN\domain users:x:10000:
>>>>> NTDOMAIN\domain guests:x:10002:
>>>>> NTDOMAIN\domain computers:x:10006:
>>>>> NTDOMAIN\domain controllers:x:3000018:
>>>>> NTDOMAIN\read-only domain controllers:x:3000203:
>>>>>
>>>>> Is conflicting with
>>>>> BUILTIN\administrators:x:3000000:
>>>>> BUILTIN\users:x:3000009:
>>>>> BUILTIN\guests:x:3000015:
>>>>> BUILTIN\account operators:x:3000185:
>>>>> BUILTIN\server operators:x:3000001:
>>>>>
>>>>> Which results in some incorrect mappings.
>>>>>
>>>>> But if you add :     acl_xattr:ignore system acls = yes  to the
>>>>> Sysvol share.
>>>>>    !!  AND your using the DC's only as DC's. !!
>>>>>
>>>>> Then this incorrect mapping can be ignored, at least im ignoring it,
>>>>> since very thing is tested and works fine.
>>>>>
>>>>> But im thinking of settings a separated range for the BUILDIN
>>>>>
>>>>> A setup something like :
>>>>>
>>>>>           idmap_ldb:use rfc2307 = yes
>>>>>
>>>>>           ## map id's outside to domain to tdb files.
>>>>>           ## use for local (linux only ) users
>>>>>           idmap config * : backend = tdb
>>>>>           idmap config * : range = 2000-9999
>>>>>
>>>>>           ## map ids from the domain and (*) the range may not overlap
>> !
>>>>>           ## the NTDOMAIN range id mappings
>>>>>           idmap config NTDOMAIN : backend = ad
>>>>>           idmap config NTDOMAIN : schema_mode = rfc2307
>>>>>           idmap config NTDOMAIN : range = 10000-2999999
>>>>>
>>>>>        ## map ids from BUILDIN ( LOCAL SYSTEM )
>>>>>        ##
>>>>>           idmap config BUILDIN : backend = ad
>>>>>           idmap config BUILDIN : schema_mode = rfc2307
>>>>>           idmap config BUILDIN : range = 3000000-3999999
>>>>>
>>>>> Sometimes, and if you see from within windows security rights like :
>>>>> NTDOMAIN\administrators
>>>>> Which should be
>>>>> BUILDIN\administrators
>>>>>
>>>>> Anyone any suggestion about setting an extra BUILDIN range for the
>>>>> Local Computer/System.
>>>>>
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
>>>>>> Verzonden: woensdag 22 juni 2016 13:59
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 06/22/2016 01:44 PM, mj wrote:
>>>>>>> And then perhaps we also need to set the idmap ranges on the DCs? I
>>>>>>> thought they were only for the domain member servers...
>>>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>>>>
>>>>>> :-)
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN
>>>> like others?
>>>>
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: usr/local/samba/var/locks/sysvol/
>>>> # owner: root
>>>> # group: 3000000
>>>> user::rwx
>>>> user:root:rwx
>>>> user:3000000:rwx
>>>> user:3000001:r-x
>>>> user:3000002:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:3000000:rwx
>>>> default:user:3000001:r-x
>>>> default:user:3000002:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>> What version of Samba is this ?
>>>
>>> Rowland
>>>
>>>
>> samba -V
>> Version 4.4.4
>>
>>
>> --
>> -James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

@Louis as you can see pretty basic. This is the same across all DC's in 
the forest.

# Global parameters
[global]
         workgroup = DOMAIN
         realm = DOMAIN.LOCAL
         netbios name = PFDC1
         server role = active directory domain controller
         dns forwarder = 8.8.8.8
         idmap_ldb:use rfc2307 = Yes

         log file = /usr/local/samba/var/log.samba
         logging = syslog at 2 file
         debug uid = Yes
         debug pid = Yes

         allow dns updates = nonsecure

         load printers = No
         printcap name = /dev/null
         disable spoolss = Yes

         ldap server require strong auth = no
         tls verify peer = ca_and_name

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

-- 
-James

More information about the samba mailing list