[Samba] sysvolreset doesn't reset all ACLs
me at tdiehl.org
me at tdiehl.org
Thu Aug 31 20:04:42 UTC 2017
On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
> On Thu, 24 Aug 2017 12:41:36 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>
>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>
> I actually used worse words when I found out why I couldn't get my work
> on the python code to work. ;-)
>
>> Does this apply only to sysvolreset or also when fixing ACLs from
>> Windows?
>
> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> moment you give 'Domain Admins' a gidNumber, you break this mapping and
> the group becomes just a group and cannot own anything on a Unix
> machine, so my recommendation is to not give the group a gidNumber,
> create another group 'Unix Admins' ? give this group a gidNumber and
> make this group a member of 'Domain Admins'
So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers running
samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares on the file
servers I see that
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
says to grant SeDiskOperatorPrivilege to the Domain Admins group.
If I follow Rowland's advice above and make a unix admins group, do I still
grant SeDiskOperatorPrivilege to Domain Admins or do I grant
SeDiskOperatorPrivilege to Unix Admins?
I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I want to
be sure.
Also When I create the shares do I set the permissions to root:Unix Admins?
If I do getent group "domain admins" nothing returns. Which I believe is because
Domain Admins does not have a unix GID assigned.
If I do:
(vfs2 pts4) # getent group "unix admins"
unix admins:x:10001:
(vfs2 pts4) #
That works. Since unix admins is a member of domain admins is that good enough?
I am trying very hard to get this right but given all of these special cases
and documentation that gives different advice, it is difficult at best. I would
not have any chance of getting this working without all of the help on this
list.
Thank You!!
Regards,
--
Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org
More information about the samba
mailing list