[Samba] sysvolreset doesn't reset all ACLs

L.P.H. van Belle belle at bazuin.nl
Fri Sep 1 09:19:02 UTC 2017


Some comment on..  

> Basically, wherever the wikipage  mentions 'Domain Admins' 
> use 'Unix Admins' instead (you don't have to use a group 
> called 'Unix Admins', it just seemed a logical name to me), 
> so yes, you give both a gidNumber and 
> 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also 
> need to make 'Unix Admins' a member of 'Domain Admins'

I dont agree here and i explain why but correct where needed if you dont agree. 
Do explain please so we can all learn from it.
Keep in mind here also, i try to reflex ms windows as close as possible where possible. 

Remember things like this, this is not only for Administratos but involves all Default groups. 

1) BUILTIN\Administrators ( Also seen as DOMAIN\Administrators or SERVERNAME\Administrators ) 
	( other groups like this, see OU=Builtin in you AD. ) 
2) DOMAIN\Domain Admins
3) DOMAIN\Unix Admins  ( as example ) 
4) Use "winbind use default domain = yes", even when its not recommends, helps if you need linux access. 
5) "winbind expand groups = 2" is minimal with this setup. samba default = 0. 
6) To much nesting groups in depth, will slow down you samba. 

Extra comments on above. 
1a) needs the SePrivileges. 
2a) is always member of 1  ( but can have SePrivileges also, depends on the how/where/what ) 
3a) can be anything name you want, add gid, etc. ( but can have SePrivileges also, depends on the how/where/what ) 
    	Imo, should be added to or domain admins, if you unix admins, are only allowed in domain things and local server.
	OR, if you should be able to every thing on you server and management throug RSAT tools, add (also) to BUILTIN\Adminstrators.
4a) only needed imo, whan you also "work" on Linux CLI. If you have only windows clients, you dont need it. 
5a) No comment its as it says. 
6a) Think in advance about your setup. I have my setup at max 4 nested groups. 

So, imo, this is best to match with "how" windows does its things. 

Just remember this also.
1) root is always Administrator ( 
2) DOMAIN\Administrator  should NEVER have any uid/gid 
3) Create a new DOMAIN\Admin and give that one an UID. 
4) Pam in most case with kerberos sets a min UID=1000, so the "New" DOMAIN\Admin is able to login with ssh when it has an UID.

Extra comment on above. 
1a) user Administrator workaround, without it you are unable to set privileges
    so yes, username map = /etc/samba/samba_usermapping  is really needed. 
	And always set minimal : !root = DOMAIN\Administrator DOMAIN\administrator 
	Optional : !root = DOMAIN\Administrator DOMAIN\administrator Administrator administrator 
	(Personaly i only use the minimal setup because DOMAIN\Adminstrator IS NOT EQUAL TO Administrator, these are different users.) 
2a) As it stats, Administrator, NEVER SET A UID/GID, it wil messup you server. Just dont do it. 
	( if you did, remove it, run : net cache flush and restart samba/winbind to make sure its gone, and check again.)
3a) This is preffered, if you create one, make sure you check for the same settings and groups as Administrator
4a) This is why you should create a new Admin, so you can login with ssh without changing system defaults. 
    This is my personal preference, not changing defaults where possible, this helps in the long run.

And now you know this, for you sysvolreset. 
Have a look here: https://github.com/thctlo/samba4  
Im putting my wel tested script on github, and please improve my code where its possible.  ;-) 
There are better coders here then me to be honest, i just have some good ideas now and then. 

Checkout : samba-check-set-sysvol.sh
Tested by me and Rowland, on debian related servers. 
It tests SID to UID/GID , SID to NAME, NAME to SID and if all correct it sets the UID/GID rights for sysvol. 
And it setups the correct ( as closes to) rights for you sysvol. 

Any comments, yes please, but keep i nice if you dont agree, and explain why. 



More information about the samba mailing list