[Samba] Problem sysvolreset
L.P.H. van Belle
belle at bazuin.nl
Wed Mar 22 07:09:31 UTC 2017
No,
I dont agree/believe you.. ... because of my setup.
On the a samba member. ( 4.5/4.6)
getent group "Domain Admins"
domain admins:x:10001:admin,administrator
I run more then a year like this.
On the Samba DC ( 4.5.3)
NTDOM\domain admins:x:3000008
All others are ok on the dc.
BAZRTD\domain users:x:10000
BAZRTD\domain guests:x:10002:
It works fine here, this is what i want.
Yes the ID on the DC and Members are different, but that i dont mind,
This is on my samba DC.
# file: var/lib/samba/sysvol/som.dome.tld/Policies/{12347FD-61B1-446E-ACEA-907BCA12E0E1}/
# owner: root
# group: BAZRTD\134domain\040admins
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
so again why not?
It works as it should, at least for me.
I only have one problem( ok 2 ... ) on my dc.
GID 300002 and GID 300003
One should be "NT AUTORITY\SYSTEM" this is my biggest problem.
Some GPO's are not working correclty due to mismatch in sid/rids with the users SYSTEM. But i saw all the hard work the devs are doing im amazed by it so i'll wait until thats fixed, i have my workaround..
For me its very simple, i never ever run sysvolreset.
And if i must run sysvolreset, yes it happend one or 2 times,
i have the steps to setup again like above, yes bit more work but it reflects the windows defaults better imho.
And acl_xattr:ignore system acls = yes is my friend here..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: dinsdag 21 maart 2017 17:27
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem sysvolreset
>
> On Tue, 21 Mar 2017 17:09:22 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai,
> >
> >
> >
> > Here you go my output of the R2008R2. (64bit)
> >
> >
> >
> > 1) original GPO from the install ( the domain controller policy )
> >
> > Path :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6
> AC1786C-016F-11D2-945F-00C04fB984F9}
> >
> > Owner : BUILTIN\Administrators
> >
> > Group : NT AUTHORITY\SYSTEM
> >
>
> This is the same as what I found, the default policies get the above
> ownership.
>
> >
> > 2) and just now created GPO, didnt touch it at al.
> >
> > Path :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{E
> DC26216-625D-42D7-8443-9003D427DEF5}
> >
> > Owner : ROTTERDAM\Domain Admins
> >
> > Group : ROTTERDAM\Domain Admins
> >
> > Access : CREATOR OWNER Allow FullControl
> >
> > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
> > ReadAndExecute, Synchronize
> >
> > NT AUTHORITY\Authenticated Users Allow ReadAndExecute,
> > Synchronize
> >
> > NT AUTHORITY\SYSTEM Allow FullControl
> >
> > ROTTERDAM\Domain Admins Allow FullControl
> >
> > ROTTERDAM\Enterprise Admins Allow FullControl
> >
> > Audit :
> >
> > Sddl :
> >
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU
> )(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)
>
> Now do you believe me when I say Domain Admins shouldn't have a
> gidNumber ?
>
> Rowland
More information about the samba
mailing list