[Samba] Problems with GPO
Rowland Penny
rpenny at samba.org
Thu Nov 3 22:10:48 UTC 2016
See inline comments:
On Thu, 3 Nov 2016 19:17:58 -0200
Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> Hi Rowland
>
> Following the results to:
>
> *USER:*
> wbinfo --uid-info=10060:
> bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
>
It looks like 'bacci' is a normal user and the owner of the
Policies GUID dir should be 'Domain Admins'
> *GROUP:*
> wbinfo --gid-info=30028: Domain Admins
This is where one of the problems start, bit of a catch 22 problem, you
need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
own dirs & files in sysvol.
>
> wbinfo --gid-info=30032: Domain Users
>
> wbinfo --gid-info=30033: Enterprise Admins
>
>
> "I don't see user:3000003"
>
> root at dc1:~# wbinfo -G 3000003
> S-1-5-11
>
> root at dc1:~# wbinfo -s S-1-5-11
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-11
>
You will need to look inside idmap.ldb to find this.
> I have in my network two DC (Samba 4) and one member File Server
> (Samba 4). When I execute wbinfo -r <user>, I have different results:
>
> root at dc1:~# wbinfo -G 3000000
> S-1-5-32-544
>
> root at dc1o:~# wbinfo -G 30002
> S-1-5-32-544
>
> root at dc1:~# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
>
> The SID to Administrators is 3000000 in DC. In File Server the same
> group is 30002.
Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
samba do this on the DC and set up smb.conf correctly on the domain
member. You do this by using 'idmap config * : backend = tdb'
>
> *Different Groups to the same user*
> root@*dc1*:~# wbinfo -r bacci
> 30011
> 30025
> 30029
> 30030
> 30035
> 30049
> 30052
> 3000000
>
>
> root@*server-file*:~# wbinfo -r bacci
> 30002
> 30003
> 30025
> 30028
> 30029
> 30030
> 30032
> 30035
> 30049
> 30052
> 30053
>
>
> Regards,
>
> Márcio
>
Rowland
More information about the samba
mailing list