[Samba] Rights issue on GPO
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 22 14:37:24 UTC 2016
Pretty strange then, running some years like this without any problem.
Yes we had few problems with "rights" in sysvol, but i fixed this all outside linux, and with that i mean. Changed rights from within windows or added registry changes or patches, or a local clean up of the policies.
At the install of my DC2 i also synced the idmap.ldb, and then a
net idmap flush on both servers to make my both dc's in sync.
And i keep it in sync with my rsync/unison setup.
All new added, but i'll keep an eye also in this and i'll recheck my logs.
But i dont think i'll find anything here.
I'll keep notice on your "workaround".
Which backend are you using matias?
Mine : (idmap config NTDOMAIN : backend = ad)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne
> Verzonden: woensdag 22 juni 2016 15:31
> Aan: lingpanda101 at gmail.com
> CC: samba
> Onderwerp: Re: [Samba] Rights issue on GPO
> @LPH van Belle
> I did tried (and still use) "acl_xattr:ignore system acls = yes" as shown
> on the first mail of that thread. And even using that rights errors on GPO
> files _are_ an issue. Otherwise that thread won't have been opened of
> course : )
> Regarding how we decided to workaround almost definitively with that was
> give every users and groups in AD some xID, also those in CN=Builtin and
> CN=Users. We also cleaned our idmap.ldb to keep inside only special users
> groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...).
> We also add some rsync to keep idmap.ldb synchronized on all our DC, for
> these special items have same mapped xID in case they are used (and so
> Doing that id mapper has no reason to define by itself some xID to users
> and groups contained into AD as they already have some xID.
> Until now it seems to work fine...
> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
> <lingpanda101 at gmail.com>:
> > On 6/22/2016 8:53 AM, mj wrote:
> >> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote:
> >>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like
> >>> others?
> >> do you have winbind in /etc/nsswitch.conf?
> >> mj
> > I also thought winbind was only necessary on member servers.
> > --
> > -James
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba