[Samba] Adding Share Windows ACL
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 26 10:41:17 UTC 2018
Yes, your right and not.. .. Sorry..
> This is a sddl of a GPO in sysvol:
> The important part is at the start:
> O = owner
> G = group
> DA = Domain Admins
> The only way this can occur on a Unix DC is if Domain Admins doesn't
> have a gidNumber attribute.
Yes yes, i know. About 1 year ago we both look this all up..
The sddl is fine, and works better if you set ignore systemacls.
Because then you can have O:DAG:DAD: its only not shown on the system..
This imo also the interesting part and still i dont agree,.. Because
I have do gid's on "domain users/guest/admins" on my AD backend DC's and members.
0 problems here.
getent group "domain users"
domain users:x:10000:.... Here all my users with uid.
getent group "domain admins"
getent group "domain guests"
Yes. Here no computer in the group, but gid was added, this works fine.
Test it Rowland and you will see it works, maybe i found some great loopholes here..
But i really like the ignore systemacl because if fixes a lot of SID/UID/GID related problems.
I also advice to use it the least as possible, but imo, sysvol netlogin profiles users and a deploy share
really bennefit from the parameter.
This work really good for me, as of samba 4.4+ now at 4.7.4.
> > Only one BEWARE !!
> > If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> > SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> > run samba-tool sysvolreset !
> Yes, do not run sysvolreset, but not because of this problem, it is
> because the underlying 'C' code doesn't set the ACLs correctly, see:
More information about the samba