[Samba] Unable to set SeDiskOperatorPrivilege (again)

Wed May 24 22:34:13 UTC 2017

Hi Rowland,

You say that winbind can do anything that sssd can, yet I've not been 
able to find winbind instructions similar to these for sssd: 
http://jhrozek.livejournal.com/3860.html

Do you know of such instructions? More particularly, do you know how 
with winbind we can lock sudoers down to specific OUs? We need to do a 
lot more than basic authentication and simple file sharing. From both 
this thread and previous ones I suspect our environment is more complex 
that what you're familiar with.

regards,
John

On 25/05/17 08:17, Rowland Penny via samba wrote:
> On Thu, 25 May 2017 07:40:50 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> Hi Rowland,
>>
>> Those low numbers you refer to are in fact the standard numbers
>> assigned to those groups, so I fail to see the problem.
> Yes, they are standard numbers, they are standard RIDs and as such have
> no place on Unix
>
>> As for
>> mapping Administrator to root, I believe that's entirely optional,
>> rather than required. Under normal circumstances we don't use the
>> domain Administrator account at all. We have a root account we use
>> instead.
> Yes, it is optional, but if you want to do things from windows, it
> easier to use Administrator on windows that is mapped to root on the
> Unix DC. The problems start when you give Administrator a uidNumber
> that isn't '0'
>
>> In regard to winbind, we have never used it and there's a concern
>> here that it may clash with our use of sssd, which is working great
>> for all normal purposes. Using multiple authentication mechanisms
>> against the same source can't be a good idea and, as you can see from
>> my question, we have no trouble resolving users or groups normally.
> Anything sssd can do, winbind can do, winbind is supported by Samba,
> sssd isn't, if you want sssd support, try the sssd-users mailing list
>
>> Here's smb.conf from the test machine:
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.COM.AU
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>
>>       # Default ID mapping configuration for local BUILTIN accounts
>>       # and groups on a domain member. The default (*) domain:
>>       # - must not overlap with any domain ID mapping configuration!
>>       # - must use an read-write-enabled back end, such as tdb.
>>       idmap config * : backend = tdb
>>       idmap config * : range = 10000-19999
> Please don't use those numbers, '10000' is the default domain start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines
>
> Rowland
>
>