[Samba] Rights issue on GPO
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 22 14:27:34 UTC 2016
>> https://wiki.samba.org/index.php/Idmap_config_ad
Dont we need idmap config in the smb.conf also, or is above not used anymore, if so the we must change the wiki.
Gr.
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> lingpanda101 at gmail.com
> Verzonden: woensdag 22 juni 2016 15:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
>
> On 6/22/2016 9:27 AM, L.P.H. van Belle wrote:
> > And what i dont see,, what is your "current" smb.conf ?
> >
> > Greetz.
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> lingpanda101 at gmail.com
> >> Verzonden: woensdag 22 juni 2016 15:09
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Rights issue on GPO
> >>
> >> On 6/22/2016 8:51 AM, Rowland penny wrote:
> >>> On 22/06/16 13:44, lingpanda101 at gmail.com wrote:
> >>>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:
> >>>>> And dont forget :
> >>>>> https://wiki.samba.org/index.php/Idmap_config_ad
> >>>>>
> >>>>> I also noticed and incorrect mapping, which "looks" like rights
> >>>>> issues like in the thead here. ( it is imo not a right issue.. )
> >>>>> read on..
> >>>>>
> >>>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202:
> >>>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
> >>>>> NTDOMAIN\domain users:x:10000:
> >>>>> NTDOMAIN\domain guests:x:10002:
> >>>>> NTDOMAIN\domain computers:x:10006:
> >>>>> NTDOMAIN\domain controllers:x:3000018:
> >>>>> NTDOMAIN\read-only domain controllers:x:3000203:
> >>>>>
> >>>>> Is conflicting with
> >>>>> BUILTIN\administrators:x:3000000:
> >>>>> BUILTIN\users:x:3000009:
> >>>>> BUILTIN\guests:x:3000015:
> >>>>> BUILTIN\account operators:x:3000185:
> >>>>> BUILTIN\server operators:x:3000001:
> >>>>>
> >>>>> Which results in some incorrect mappings.
> >>>>>
> >>>>> But if you add : acl_xattr:ignore system acls = yes to the
> >>>>> Sysvol share.
> >>>>> !! AND your using the DC's only as DC's. !!
> >>>>>
> >>>>> Then this incorrect mapping can be ignored, at least im ignoring it,
> >>>>> since very thing is tested and works fine.
> >>>>>
> >>>>> But im thinking of settings a separated range for the BUILDIN
> >>>>>
> >>>>> A setup something like :
> >>>>>
> >>>>> idmap_ldb:use rfc2307 = yes
> >>>>>
> >>>>> ## map id's outside to domain to tdb files.
> >>>>> ## use for local (linux only ) users
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 2000-9999
> >>>>>
> >>>>> ## map ids from the domain and (*) the range may not
> overlap
> >> !
> >>>>> ## the NTDOMAIN range id mappings
> >>>>> idmap config NTDOMAIN : backend = ad
> >>>>> idmap config NTDOMAIN : schema_mode = rfc2307
> >>>>> idmap config NTDOMAIN : range = 10000-2999999
> >>>>>
> >>>>> ## map ids from BUILDIN ( LOCAL SYSTEM )
> >>>>> ##
> >>>>> idmap config BUILDIN : backend = ad
> >>>>> idmap config BUILDIN : schema_mode = rfc2307
> >>>>> idmap config BUILDIN : range = 3000000-3999999
> >>>>>
> >>>>> Sometimes, and if you see from within windows security rights like :
> >>>>> NTDOMAIN\administrators
> >>>>> Which should be
> >>>>> BUILDIN\administrators
> >>>>>
> >>>>> Anyone any suggestion about setting an extra BUILDIN range for the
> >>>>> Local Computer/System.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> >>>>>> Verzonden: woensdag 22 juni 2016 13:59
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] Rights issue on GPO
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 06/22/2016 01:44 PM, mj wrote:
> >>>>>>> And then perhaps we also need to set the idmap ranges on the DCs?
> I
> >>>>>>> thought they were only for the domain member servers...
> >>>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> >>>>>>
> >>>>>> :-)
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN
> >>>> like others?
> >>>>
> >>>> getfacl: Removing leading '/' from absolute path names
> >>>> # file: usr/local/samba/var/locks/sysvol/
> >>>> # owner: root
> >>>> # group: 3000000
> >>>> user::rwx
> >>>> user:root:rwx
> >>>> user:3000000:rwx
> >>>> user:3000001:r-x
> >>>> user:3000002:rwx
> >>>> user:3000003:r-x
> >>>> group::rwx
> >>>> group:3000000:rwx
> >>>> group:3000001:r-x
> >>>> group:3000002:rwx
> >>>> group:3000003:r-x
> >>>> mask::rwx
> >>>> other::---
> >>>> default:user::rwx
> >>>> default:user:root:rwx
> >>>> default:user:3000000:rwx
> >>>> default:user:3000001:r-x
> >>>> default:user:3000002:rwx
> >>>> default:user:3000003:r-x
> >>>> default:group::---
> >>>> default:group:3000000:rwx
> >>>> default:group:3000001:r-x
> >>>> default:group:3000002:rwx
> >>>> default:group:3000003:r-x
> >>>> default:mask::rwx
> >>>> default:other::---
> >>>>
> >>> What version of Samba is this ?
> >>>
> >>> Rowland
> >>>
> >>>
> >> samba -V
> >> Version 4.4.4
> >>
> >>
> >> --
> >> -James
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
> @Louis as you can see pretty basic. This is the same across all DC's in
> the forest.
>
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> netbios name = PFDC1
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = Yes
>
> log file = /usr/local/samba/var/log.samba
> logging = syslog at 2 file
> debug uid = Yes
> debug pid = Yes
>
> allow dns updates = nonsecure
>
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
>
> ldap server require strong auth = no
> tls verify peer = ca_and_name
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list