[Samba] sysvolreset doesn't reset all ACLs

me at tdiehl.org me at tdiehl.org
Thu Aug 31 22:59:21 UTC 2017 

On Thu, 31 Aug 2017, Rowland Penny via samba wrote:

> On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
>>
>>> On Thu, 24 Aug 2017 12:41:36 +0200
>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>>
>>> I actually used worse words when I found out why I couldn't get my
>>> work on the python code to work. ;-)
>>>
>>>> Does this apply only to sysvolreset or also when fixing ACLs from
>>>> Windows?
>>>
>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
>>> idmap.ldb, this makes it able to own files and dirs in sysvol. The
>>> moment you give 'Domain Admins' a gidNumber, you break this mapping
>>> and the group becomes just a group and cannot own anything on a Unix
>>> machine, so my recommendation is to not give the group a gidNumber,
>>> create another group 'Unix Admins' ? give this group a gidNumber and
>>> make this group a member of 'Domain Admins'
>>
>> So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
>> running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares
>> on the file servers I see that
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> says to grant SeDiskOperatorPrivilege to the Domain Admins group.
>>
>> If I follow Rowland's advice above and make a unix admins group, do I
>> still grant SeDiskOperatorPrivilege to Domain Admins or do I grant
>> SeDiskOperatorPrivilege to Unix Admins?
>>
>> I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I
>> want to be sure.
>
> Basically, wherever the wikipage  mentions 'Domain Admins' use 'Unix
> Admins' instead (you don't have to use a group called 'Unix Admins', it
> just seemed a logical name to me), so yes, you give both a gidNumber
> and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to
> make 'Unix Admins' a member of 'Domain Admins'
>
>>
>> Also When I create the shares do I set the permissions to root:Unix
>> Admins?
>
> Yes, or 'Unix Admins' will not be able to do anything.
>
>>
>> If I do getent group "domain admins" nothing returns. Which I believe
>> is because Domain Admins does not have a unix GID assigned.
>
> Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used
> (as an owner) by other GPOs you will add.
>
>>
>> If I do:
>> (vfs2 pts4) # getent group "unix admins"
>> unix admins:x:10001:
>> (vfs2 pts4) #
>>
>> That works. Since unix admins is a member of domain admins is that
>> good enough?
>
> Yes.

Thanks for the quick response.

One more question, when I created the Unix Admins group using ADUC, I noticed
that there was a place to add members on the Unix attributes tab. Should I be
adding users there, on the members tab or both?

Regards,.

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org

More information about the samba mailing list