[Samba] Rights issue on GPO

L.P.H. van Belle belle at bazuin.nl
Wed Jun 22 14:27:34 UTC 2016 

>> https://wiki.samba.org/index.php/Idmap_config_ad 

Dont we need idmap config in the smb.conf also, or is above not used anymore, if so the we must change the wiki. 



Gr.

Louis






> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> lingpanda101 at gmail.com
> Verzonden: woensdag 22 juni 2016 15:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
> 
> On 6/22/2016 9:27 AM, L.P.H. van Belle wrote:
> > And what i dont see,, what is your "current" smb.conf ?
> >
> > Greetz.
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> lingpanda101 at gmail.com
> >> Verzonden: woensdag 22 juni 2016 15:09
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Rights issue on GPO
> >>
> >> On 6/22/2016 8:51 AM, Rowland penny wrote:
> >>> On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
> >>>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
> >>>>> And dont forget :
> >>>>> https://wiki.samba.org/index.php/Idmap_config_ad
> >>>>>
> >>>>> I also noticed and incorrect mapping, which "looks" like rights
> >>>>> issues like in the thead here. ( it is imo not a right issue.. )
> >>>>> read on..
> >>>>>
> >>>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
> >>>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
> >>>>> NTDOMAIN\domain users:x:10000:
> >>>>> NTDOMAIN\domain guests:x:10002:
> >>>>> NTDOMAIN\domain computers:x:10006:
> >>>>> NTDOMAIN\domain controllers:x:3000018:
> >>>>> NTDOMAIN\read-only domain controllers:x:3000203:
> >>>>>
> >>>>> Is conflicting with
> >>>>> BUILTIN\administrators:x:3000000:
> >>>>> BUILTIN\users:x:3000009:
> >>>>> BUILTIN\guests:x:3000015:
> >>>>> BUILTIN\account operators:x:3000185:
> >>>>> BUILTIN\server operators:x:3000001:
> >>>>>
> >>>>> Which results in some incorrect mappings.
> >>>>>
> >>>>> But if you add :     acl_xattr:ignore system acls = yes  to the
> >>>>> Sysvol share.
> >>>>>    !!  AND your using the DC's only as DC's. !!
> >>>>>
> >>>>> Then this incorrect mapping can be ignored, at least im ignoring it,
> >>>>> since very thing is tested and works fine.
> >>>>>
> >>>>> But im thinking of settings a separated range for the BUILDIN
> >>>>>
> >>>>> A setup something like :
> >>>>>
> >>>>>           idmap_ldb:use rfc2307 = yes
> >>>>>
> >>>>>           ## map id's outside to domain to tdb files.
> >>>>>           ## use for local (linux only ) users
> >>>>>           idmap config * : backend = tdb
> >>>>>           idmap config * : range = 2000-9999
> >>>>>
> >>>>>           ## map ids from the domain and (*) the range may not
> overlap
> >> !
> >>>>>           ## the NTDOMAIN range id mappings
> >>>>>           idmap config NTDOMAIN : backend = ad
> >>>>>           idmap config NTDOMAIN : schema_mode = rfc2307
> >>>>>           idmap config NTDOMAIN : range = 10000-2999999
> >>>>>
> >>>>>        ## map ids from BUILDIN ( LOCAL SYSTEM )
> >>>>>        ##
> >>>>>           idmap config BUILDIN : backend = ad
> >>>>>           idmap config BUILDIN : schema_mode = rfc2307
> >>>>>           idmap config BUILDIN : range = 3000000-3999999
> >>>>>
> >>>>> Sometimes, and if you see from within windows security rights like :
> >>>>> NTDOMAIN\administrators
> >>>>> Which should be
> >>>>> BUILDIN\administrators
> >>>>>
> >>>>> Anyone any suggestion about setting an extra BUILDIN range for the
> >>>>> Local Computer/System.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> >>>>>> Verzonden: woensdag 22 juni 2016 13:59
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] Rights issue on GPO
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 06/22/2016 01:44 PM, mj wrote:
> >>>>>>> And then perhaps we also need to set the idmap ranges on the DCs?
> I
> >>>>>>> thought they were only for the domain member servers...
> >>>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> >>>>>>
> >>>>>> :-)
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN
> >>>> like others?
> >>>>
> >>>> getfacl: Removing leading '/' from absolute path names
> >>>> # file: usr/local/samba/var/locks/sysvol/
> >>>> # owner: root
> >>>> # group: 3000000
> >>>> user::rwx
> >>>> user:root:rwx
> >>>> user:3000000:rwx
> >>>> user:3000001:r-x
> >>>> user:3000002:rwx
> >>>> user:3000003:r-x
> >>>> group::rwx
> >>>> group:3000000:rwx
> >>>> group:3000001:r-x
> >>>> group:3000002:rwx
> >>>> group:3000003:r-x
> >>>> mask::rwx
> >>>> other::---
> >>>> default:user::rwx
> >>>> default:user:root:rwx
> >>>> default:user:3000000:rwx
> >>>> default:user:3000001:r-x
> >>>> default:user:3000002:rwx
> >>>> default:user:3000003:r-x
> >>>> default:group::---
> >>>> default:group:3000000:rwx
> >>>> default:group:3000001:r-x
> >>>> default:group:3000002:rwx
> >>>> default:group:3000003:r-x
> >>>> default:mask::rwx
> >>>> default:other::---
> >>>>
> >>> What version of Samba is this ?
> >>>
> >>> Rowland
> >>>
> >>>
> >> samba -V
> >> Version 4.4.4
> >>
> >>
> >> --
> >> -James
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> @Louis as you can see pretty basic. This is the same across all DC's in
> the forest.
> 
> # Global parameters
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN.LOCAL
>          netbios name = PFDC1
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = Yes
> 
>          log file = /usr/local/samba/var/log.samba
>          logging = syslog at 2 file
>          debug uid = Yes
>          debug pid = Yes
> 
>          allow dns updates = nonsecure
> 
>          load printers = No
>          printcap name = /dev/null
>          disable spoolss = Yes
> 
>          ldap server require strong auth = no
>          tls verify peer = ca_and_name
> 
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>          read only = No
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> --
> -James
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list