[Samba] Unable to set SeDiskOperatorPrivilege (again)

Elias Pereira empbilly at gmail.com
Wed May 24 22:37:07 UTC 2017


>
> Please don't use those numbers, '10000' is the default domain start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines


Have the "best" range for this, or can I use the defaults values posted on
the wiki?

idmap config * : backend = tdb
idmap config * : range = *3000-7999*
...
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = *10000-999999*


On Wed, May 24, 2017 at 7:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 25 May 2017 07:40:50 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
> > Hi Rowland,
> >
> > Those low numbers you refer to are in fact the standard numbers
> > assigned to those groups, so I fail to see the problem.
>
> Yes, they are standard numbers, they are standard RIDs and as such have
> no place on Unix
>
> > As for
> > mapping Administrator to root, I believe that's entirely optional,
> > rather than required. Under normal circumstances we don't use the
> > domain Administrator account at all. We have a root account we use
> > instead.
>
> Yes, it is optional, but if you want to do things from windows, it
> easier to use Administrator on windows that is mapped to root on the
> Unix DC. The problems start when you give Administrator a uidNumber
> that isn't '0'
>
> >
> > In regard to winbind, we have never used it and there's a concern
> > here that it may clash with our use of sssd, which is working great
> > for all normal purposes. Using multiple authentication mechanisms
> > against the same source can't be a good idea and, as you can see from
> > my question, we have no trouble resolving users or groups normally.
>
> Anything sssd can do, winbind can do, winbind is supported by Samba,
> sssd isn't, if you want sssd support, try the sssd-users mailing list
>
> >
> > Here's smb.conf from the test machine:
> >
> > [global]
> >      security = ADS
> >      workgroup = MYDOMAIN
> >      realm = MYDOMAIN.COM.AU
> >
> >      log file = /var/log/samba/%m.log
> >      log level = 1
> >
> >      # Default ID mapping configuration for local BUILTIN accounts
> >      # and groups on a domain member. The default (*) domain:
> >      # - must not overlap with any domain ID mapping configuration!
> >      # - must use an read-write-enabled back end, such as tdb.
> >      idmap config * : backend = tdb
> >      idmap config * : range = 10000-19999
>
> Please don't use those numbers, '10000' is the default domain start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira


More information about the samba mailing list