[Samba] Can't create/update Group Policy in Samba 4.6.5
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 3 07:49:36 UTC 2017
Hai Marcio,
> Can I remove Unix Attributes of the Administrator user and
> other administrator groups (set up NIS Domain to "none") ?
Yes, GID on Domain Admins, is not a problem, but UID on Administrator is a big problem.
So yes, user Administrator remove all unix tab settings. ( Dont forget to run : net cache flush )
And dubble check with : id Administrator.
A tip. For example, ( part of smb.conf member with AD backend. )
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
idmap config NTDOM : unix_nss_info = yes
id username shows:
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001
Now there is one error in that line. (the last GID 2001 )
After running net cache flush:
uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001(BUILTIN\users)
*(sample of member with AD backend setup)
And this is correct: 2001(BUILTIN\users)
I have assigned all my (domain) windows "default groups" an GID, but im using these on multiple servers.
( These defaults groups are "domain" users/guests/computers/admins. )
! Think RID/AD, where you need the same id (GID) on every server. Most important.
Tip, is no problem on a member to change RID to AD if needed, just change the backend, restart samba and winbind
! WATCH OUT FOR YOUR RIGTHS ON THE SERVERS!!! You will loose these if UID/GIDS change.
Run: net cache flush.
!! AGAIN YOU NEED TO REAPPLY ALL RIGHTS ON THE FILE SERVER AFTER CHANGING RID <> AD BACKENDS.
Note, This does not apply for all setups, but users with multiple server should think about this.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marcio Demetrio Bacci via samba
> Verzonden: maandag 3 juli 2017 2:04
> Aan: Miguel Medalha; samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
>
> Hi Miguel,
>
>
> I have given SeDiskOperatorPrivilege to "Domain Admins" group.
>
> *net rpc rights grant "EMPRESA\Domain Admins"
> SeDiskOperatorPrivilege -U
> "EMPRESA\administrator"*
> Enter EMPRESA\administrator's password:
> Successfully granted rights.
>
> I have executed this following commands, but OS and Server are empty:
>
> *smbclient //localhost/netlogon -UAdministrator -c 'ls'*
> Enter EMPRESA\Administrator's password:
> Domain=[EMPRESA] OS=[] Server=[]
> . D 0 Mon May 15
> 19:09:10 2017
> .. D 0 Sun Jul 2
> 17:07:24 2017
>
> 39189944 blocks of size 1024. 34372144 blocks
> available
>
>
> *smbclient -L localhost -U%*
> Domain=[EMPRESA] OS=[] Server=[]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba 4.6.5)
> Domain=[EMPRESA] OS=[] Server=[]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
> Regards,
>
> Márcio Bacci
>
>
> 2017-07-02 19:31 GMT-03:00 Miguel Medalha via samba
> <samba at lists.samba.org>:
>
> > > 1) Who is '30056' ? 30056 is the Administrator user.
> > Administrator should remain as ID0.
> >
> > > 2) Have you given 'Administrator' a uidNumber ? Yes, I
> set up Unix
> > > Attribute to Administrator and "Domain Admins", "Domain
> Controllers"
> > > > >
> > and others groups.
> > Don't do it. Administrator is a special case.
> >
> > > 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?
> > > No. Is necessary?
> > Yes.
> >
> > You should follow this Samba Wiki guide:
> >
> > Setting up Samba as an Active Directory Domain Controller
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> > Active_Directory_Domain_Controller
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list