[Samba] Unable to set SeDiskOperatorPrivilege (again)
John Gardeniers
jgardeniers at integradev.com.au
Wed May 24 21:40:50 UTC 2017
Hi Rowland,
Those low numbers you refer to are in fact the standard numbers assigned
to those groups, so I fail to see the problem. As for mapping
Administrator to root, I believe that's entirely optional, rather than
required. Under normal circumstances we don't use the domain
Administrator account at all. We have a root account we use instead.
In regard to winbind, we have never used it and there's a concern here
that it may clash with our use of sssd, which is working great for all
normal purposes. Using multiple authentication mechanisms against the
same source can't be a good idea and, as you can see from my question,
we have no trouble resolving users or groups normally.
Here's smb.conf from the test machine:
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.COM.AU
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 10000-19999
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
regards,
John
On 24/05/17 16:47, Rowland Penny via samba wrote:
> On Wed, 24 May 2017 13:34:27 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> There was a thread on this topic back in January and as far as I can
>> see it was never resolved.
> It has always worked for me, even when I used sssd.
> But there is no need to use sssd on a Unix domain member
>
>> # getent group "Domain Admins"
>> Domain Admins:*:512:Administrator,user1,user2,user3
>>
>> # id Administrator
>> uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain
>> Users),512(Domain Admins),10102(Enterprise Admins)
>>
>> # id "Domain Admins"
>> id: Domain Admins: No such user
>
> You seem to be using very low numbers for 'Domain Users' & 'Domain
> Admins'
>
> 'Domain Admins' is only a user on a DC (where it also a group)
>
> 'Administrator' shouldn't have a uidNumber, it should be mapped to
> 'root'
>
> Can you post your smb.conf and are you willing to try using winbind.
>
> Rowland
>
More information about the samba
mailing list