[Samba] sysvolreset doesn't reset all ACLs
Rowland Penny
rpenny at samba.org
Fri Sep 1 07:20:02 UTC 2017
On Thu, 31 Aug 2017 18:59:21 -0400 (EDT)
me at tdiehl.org wrote:
> On Thu, 31 Aug 2017, Rowland Penny via samba wrote:
>
> > On Thu, 31 Aug 2017 16:04:42 -0400 (EDT)
> > me at tdiehl.org wrote:
> >
> >> On Thu, 24 Aug 2017, Rowland Penny via samba wrote:
> >>
> >>> On Thu, 24 Aug 2017 12:41:36 +0200
> >>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>>
> >>> I actually used worse words when I found out why I couldn't get my
> >>> work on the python code to work. ;-)
> >>>
> >>>> Does this apply only to sysvolreset or also when fixing ACLs from
> >>>> Windows?
> >>>
> >>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> >>> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> >>> moment you give 'Domain Admins' a gidNumber, you break this
> >>> mapping and the group becomes just a group and cannot own
> >>> anything on a Unix machine, so my recommendation is to not give
> >>> the group a gidNumber, create another group 'Unix Admins' ? give
> >>> this group a gidNumber and make this group a member of 'Domain
> >>> Admins'
> >>
> >> So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers
> >> running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up
> >> shares on the file servers I see that
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> says to grant SeDiskOperatorPrivilege to the Domain Admins group.
> >>
> >> If I follow Rowland's advice above and make a unix admins group,
> >> do I still grant SeDiskOperatorPrivilege to Domain Admins or do I
> >> grant SeDiskOperatorPrivilege to Unix Admins?
> >>
> >> I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege
> >> but I want to be sure.
> >
> > Basically, wherever the wikipage mentions 'Domain Admins' use 'Unix
> > Admins' instead (you don't have to use a group called 'Unix
> > Admins', it just seemed a logical name to me), so yes, you give
> > both a gidNumber and 'SeDiskOperatorPrivilege' to 'Unix Admins',
> > you will also need to make 'Unix Admins' a member of 'Domain Admins'
> >
> >>
> >> Also When I create the shares do I set the permissions to root:Unix
> >> Admins?
> >
> > Yes, or 'Unix Admins' will not be able to do anything.
> >
> >>
> >> If I do getent group "domain admins" nothing returns. Which I
> >> believe is because Domain Admins does not have a unix GID assigned.
> >
> > Good, whilst 'Domain Admins' isn't used by the default GPOs, it is
> > used (as an owner) by other GPOs you will add.
> >
> >>
> >> If I do:
> >> (vfs2 pts4) # getent group "unix admins"
> >> unix admins:x:10001:
> >> (vfs2 pts4) #
> >>
> >> That works. Since unix admins is a member of domain admins is that
> >> good enough?
> >
> > Yes.
>
> Thanks for the quick response.
>
> One more question, when I created the Unix Admins group using ADUC, I
> noticed that there was a place to add members on the Unix attributes
> tab. Should I be adding users there, on the members tab or both?
>
> Regards,.
>
You can add members on the Unix attributes tab, but all this will do is
to give you some extra attributes in AD that nothing uses ;-)
Rowland
More information about the samba
mailing list