[Samba] Unable to set SeDiskOperatorPrivilege (again)

John Gardeniers jgardeniers at integradev.com.au
Wed May 24 21:40:50 UTC 2017 

Hi Rowland,

Those low numbers you refer to are in fact the standard numbers assigned 
to those groups, so I fail to see the problem. As for mapping 
Administrator to root, I believe that's entirely optional, rather than 
required. Under normal circumstances we don't use the domain 
Administrator account at all. We have a root account we use instead.

In regard to winbind, we have never used it and there's a concern here 
that it may clash with our use of sssd, which is working great for all 
normal purposes. Using multiple authentication mechanisms against the 
same source can't be a good idea and, as you can see from my question, 
we have no trouble resolving users or groups normally.

Here's smb.conf from the test machine:

[global]
     security = ADS
     workgroup = MYDOMAIN
     realm = MYDOMAIN.COM.AU

     log file = /var/log/samba/%m.log
     log level = 1

     # Default ID mapping configuration for local BUILTIN accounts
     # and groups on a domain member. The default (*) domain:
     # - must not overlap with any domain ID mapping configuration!
     # - must use an read-write-enabled back end, such as tdb.
     idmap config * : backend = tdb
     idmap config * : range = 10000-19999

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

regards,
John


On 24/05/17 16:47, Rowland Penny via samba wrote:
> On Wed, 24 May 2017 13:34:27 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> There was a thread on this topic back in January and as far as I can
>> see it was never resolved.
> It has always worked for me, even when I used sssd.
> But there is no need to use sssd on a Unix domain member
>   
>> # getent group "Domain Admins"
>> Domain Admins:*:512:Administrator,user1,user2,user3
>>
>> # id Administrator
>> uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain
>> Users),512(Domain Admins),10102(Enterprise Admins)
>>
>> # id "Domain Admins"
>> id: Domain Admins: No such user
>
> You seem to be using very low numbers for 'Domain Users' & 'Domain
> Admins'
>
> 'Domain Admins' is only a user on a DC (where it also a group)
>
> 'Administrator' shouldn't have a uidNumber, it should be mapped to
> 'root'
>
> Can you post your smb.conf and are you willing to try using winbind.
>
> Rowland
>

More information about the samba mailing list