[Samba] Can't create/update Group Policy in Samba 4.6.5

L.P.H. van Belle belle at bazuin.nl
Mon Jul 3 07:49:36 UTC 2017 

Hai Marcio, 

> Can I remove Unix Attributes of the Administrator user  and 
> other administrator groups (set up NIS Domain to "none") ?
Yes, GID on Domain Admins, is not a problem, but UID on Administrator is a big problem. 
So yes, user Administrator remove all unix tab settings. ( Dont forget to run : net cache flush ) 
And dubble check with : id Administrator. 

A tip. For example, ( part of smb.conf member with AD backend. ) 
    ## map id's outside to domain to tdb files.
    idmap config * :backend = tdb
    idmap config * :range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999
    idmap config NTDOM : unix_nss_info = yes

id username shows: 
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001
Now there is one error in that line.  (the last GID 2001 ) 

After running net cache flush: 
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001(BUILTIN\users)
*(sample of member with AD backend setup) 

And this is correct: 2001(BUILTIN\users)


I have assigned all my (domain) windows "default groups" an GID, but im using these on multiple servers. 
( These defaults groups are "domain" users/guests/computers/admins. ) 
! Think RID/AD, where you need the same id (GID) on every server. Most important. 

Tip, is no problem on a member to change RID to AD if needed, just change the backend, restart samba and winbind
! WATCH OUT FOR YOUR RIGTHS ON THE SERVERS!!! You will loose these if UID/GIDS change. 
Run: net cache flush.  
!! AGAIN YOU NEED TO REAPPLY ALL RIGHTS ON THE FILE SERVER AFTER CHANGING RID <> AD BACKENDS.

Note, This does not apply for all setups, but users with multiple server should think about this. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: maandag 3 juli 2017 2:04
> Aan: Miguel Medalha; samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> 
> Hi Miguel,
> 



> 
> I have given SeDiskOperatorPrivilege to "Domain Admins" group.
> 
> *net rpc rights grant "EMPRESA\Domain Admins" 
> SeDiskOperatorPrivilege -U
> "EMPRESA\administrator"*
> Enter EMPRESA\administrator's password:
> Successfully granted rights.
> 
> I have executed this following commands, but OS and Server are empty:
> 
> *smbclient //localhost/netlogon -UAdministrator -c 'ls'* 
> Enter EMPRESA\Administrator's password:
> Domain=[EMPRESA] OS=[] Server=[]
>   .                                   D        0  Mon May 15 
> 19:09:10 2017
>   ..                                  D        0  Sun Jul  2 
> 17:07:24 2017
> 
>                 39189944 blocks of size 1024. 34372144 blocks 
> available
> 
> 
> *smbclient -L localhost -U%*
> Domain=[EMPRESA] OS=[] Server=[]
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk
>         sysvol          Disk
>         IPC$            IPC       IPC Service (Samba 4.6.5)
> Domain=[EMPRESA] OS=[] Server=[]
> 
>         Server               Comment
>         ---------            -------
> 
>         Workgroup            Master
>         ---------            -------
> 
> Regards,
> 
> Márcio Bacci
> 
> 
> 2017-07-02 19:31 GMT-03:00 Miguel Medalha via samba 
> <samba at lists.samba.org>:
> 
> > > 1) Who is '30056' ? 30056 is the Administrator user.
> > Administrator should remain as ID0.
> >
> > > 2) Have you given 'Administrator' a uidNumber ? Yes, I 
> set up Unix 
> > > Attribute to Administrator and "Domain Admins", "Domain 
> Controllers" 
> > > > >
> > and others groups.
> > Don't do it. Administrator is a special case.
> >
> > > 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? 
> > > No. Is necessary?
> > Yes.
> >
> > You should follow this Samba Wiki guide:
> >
> > Setting up Samba as an Active Directory Domain Controller 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> > Active_Directory_Domain_Controller
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list